Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T Tor Browser
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,322
    • Issues 1,322
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 7
    • Merge requests 7
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Applications
  • Tor Browser
  • Issues
  • #22971
Closed
Open
Created Jul 18, 2017 by Yawning Angel@yawning

The XPI signing mechanism needs to use different hash functions.

https://wiki.mozilla.org/Add-ons/Extension_Signing

Signing 2 hashes of a manifest file containing 2 hashes each of every file in an archive, especially when "2 hashes" is MD5 and SHA1 is cryptographically unsound.

See Joux, A., "Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions".

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking