Closed hwine closed 3 years ago
Initial debugging shows current library doesn't support sha2 for authenticode (ref):
Currently the following hashing methods are supported:
- generic files:
md5, sha1, sha256, sha512
- PE-COFF authenticode (windows executables, drivers, dll's, ...):
md5, sha1
Pausing to investigate newer libraries -- assuming that's a better approach than hacking ancient crypto code.
No suitable libraries found -- switched to invoking osslsigncode
from the lambda.
This is working locally. Work to integrate into lambda:
closed with 28b92d9f2fab585a2fd35c61d83fd7ed0a981691
fx-sig-verify
reports anSigVerifyBadSignature
failure starting with signatures created after "87.0b1 build 1". Analysis showed that the only observable change was Digicert's time stamping service switching their signature hash algorithm from SHA-1 to SHA-2.This is a false positive (error) on the part of
fx-sig-verify
as all of the following situations cleanly accept an "87.0b2 build 1" installer as having a valid signature from the verified publisher:signtool
(from Microsoft)osslsigntool
(open source version)To Do:
[ ] Consider deferring deployment until #88 also addressed