Use SHA-256 algorithm for Windows timestamping

We switched to using SHA-256 for the authenticode signature but we should use that hash algo for the timestamp as well (currently that's still SHA-1)

Trac:
Parent Ticket: #33168 (moved)

added GeorgKoppen202004 TorBrowserTeam202004R component::applications/tor browser owner::gk parent::33168 priority::medium resolution::fixed severity::normal status::closed tbb-9.5a12 tbb-security tbb-sign type::defect labels

Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.

Moving my tickets to March.

Trac:
Keywords: TorBrowserTeam201902 deleted, TorBrowserTeam201903 added

Now for my keyword.

Trac:
Keywords: GeorgKoppen201902 deleted, GeorgKoppen201903 added

Tickets on our radar for 8.5

Trac:
Keywords: N/A deleted, tbb-8.5 added

Replying to gk:

Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.

Unfortunately, this did not work. I'll need to look again at the code and our patch do decouple the signing from the timestamping to figure out what goes wrong here.

Not to self: we likely need to adapt my patch for osslsigncode so that the -h option is available for the add command as well.

Moving tickets to April.

Trac:
Keywords: TorBrowserTeam201903 deleted, TorBrowserTeam201904 added

Moving my tickets for April

Trac:
Keywords: GeorgKoppen201903 deleted, GeorgKoppen201904 added

Moving tickets to May

Trac:
Keywords: TorBrowserTeam201904 deleted, TorBrowserTeam201905 added

Move my tickets.

Trac:
Keywords: GeorgKoppen201904 deleted, GeorgKoppen201905 added

Moving tickets to June

Trac:
Keywords: TorBrowserTeam201905 deleted, TorBrowserTeam201906 added

Moving my tickets to June

Trac:
Keywords: GeorgKoppen201905 deleted, GeorgKoppen201906 added

Moving my tickets to July.

Trac:
Keywords: GeorgKoppen201906 deleted, GeorgKoppen201907 added

Moving tickets to July

Trac:
Keywords: TorBrowserTeam201906 deleted, TorBrowserTeam201907 added

https://sourceforge.net/p/osslsigncode/patches/10/#98d2/d522

Gonna do this while dealing with the new authenticode cert.

Trac:
Keywords: GeorgKoppen201907 deleted, GeorgKoppen202004, tbb-sign added
Cc: N/A to tbb-team
Parent: N/A to #33168 (moved)
Owner: tbb-team to gk
Status: new to assigned

Replying to gk:

Not to self: we likely need to adapt my patch for osslsigncode so that the -h option is available for the add command as well.

Yes, that is needed (among other things). It took me longer to figure this issue out because I got confused. While osslsigncode verify shows the certs in the SHA-1 Authenticode scenario it does not show them when switching to RFC 3161 mode with SHA-256 which sent me digging into wrong direction. Not sure if that's an osslsigncode bug or not.

Either way, one can extract the signature with osslsigncode extract-signature and then inspect the nitty-gritty details with openssl pkcs7 and the SHA-256 timestamp is visible. I uploaded a test file for further inspection if needed:

https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe.asc

bug_29614 (https://gitweb.torproject.org/user/gk/tor-browser-spec.git/commit/?h=bug_29614&id=26d833f346d9d7bf795fe1cec819555595d739f1) in my public tor-browser-spec repo contains the updated documentation/patch.

Trac:
Keywords: TorBrowserTeam201907 deleted, TorBrowserTeam202004R added
Status: assigned to needs_review

Works on Windows 7 and later. Note: besides changing SHA-1 to SHA-256, you also change Authenticode timestamping to RFC 3161 timestamping (see https://sectigo.com/resources/time-stamping-server).