Timestamps signed via SHA-2 hash not accepted

[hwine]

fx-sig-verify reports an SigVerifyBadSignature failure starting with signatures created after "87.0b1 build 1". Analysis showed that the only observable change was Digicert's time stamping service switching their signature hash algorithm from SHA-1 to SHA-2.

This is a false positive (error) on the part of fx-sig-verify as all of the following situations cleanly accept an "87.0b2 build 1" installer as having a valid signature from the verified publisher:

• signtool (from Microsoft)
• osslsigntool (open source version)
• clean installation on current windows 10 machine
• clean installation on Windows 7, pre sp1 machine (our oldest supported windows version)

To Do:

• [x] add "new format" signed binary to test suite & verify failure
• [x] tweak code to not consider different signatures using different hash algorithms as an error
• [x] verify locally,
• [x] verify in dev
• [ ] Consider deferring deployment until #88 also addressed

[hwine]

Initial debugging shows current library doesn't support sha2 for authenticode (ref):

Currently the following hashing methods are supported:
- generic files:
  md5, sha1, sha256, sha512
- PE-COFF authenticode (windows executables, drivers, dll's, ...):
  md5, sha1

Pausing to investigate newer libraries -- assuming that's a better approach than hacking ancient crypto code.

[hwine]

No suitable libraries found -- switched to invoking osslsigncode from the lambda.

This is working locally. Work to integrate into lambda:

• [x] upgrade to Python 3 (quite easy), addresses #55
• [x] package for py3 lambda container
• [x] test

[hwine]

closed with 28b92d9f2fab585a2fd35c61d83fd7ed0a981691