[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17870 [Tor Browser]: Some Windows 10 users experience authenticode errors if Tor Browser is signed on Linux



#17870: Some Windows 10 users experience authenticode errors if Tor Browser is
signed on Linux
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:  closed
Component:  Tor Browser                          |      Milestone:
 Severity:  Major                                |        Version:
 Keywords:  tbb-security, TorBrowserTeam201601,  |     Resolution:  fixed
  GeorgKoppen201601                              |  Actual Points:
Parent ID:  #15538                               |         Points:
  Sponsor:                                       |
-------------------------------------------------+-------------------------

Comment (by tom):

 I tested this on Windows 10 and had no issues, as seen here:
 http://i.imgur.com/vAi7xQS.png

 When I run it, it still gives the "Do you want to run this file?" prompt,
 but this is because it's a downloaded executable. the Publisher shows the
 correct name.  I don't believe there's anything Tor can do about this
 prompt.  (The only thing might be to submit it to Windows for additional
 scanning or something - but I'm not sure and I can't find any indication
 that this is an option - it's hard to search for.)

 I will note that the application is signed with SHA-1, which may cause
 issues down the road.  It would be better to dual-sign it with SHA-256
 _and_ SHA-1. (We're not an MSI, which causes problems, but .exes can be
 dual-signed. I don't know how to do this on linux, but there are
 instructions for Windows here:
 http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-
 enforcement-of-authenticode-code-signing-and-timestamping.aspx ).

 SHA-256 will be untrusted as a signing algorithm in the future.  According
 to MSFT's timetable, it looks like "On Win 7 and above, blocked on
 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after
 1/1/2016 for Mark of the Web files."  Additionally as time goes on it may
 be more difficult to obtain a SHA-1 signing cert.  I don't think "Mark of
 the Web" will affect Tor, but in the unlikely situation we wanted someone
 running a 4-year-old executable, the signature will be untrusted in four
 years.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17870#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs