Bug 1889340 - signingscript: remove authenticode sha1 formats (#960)

signingscript/README.md

@@ -90,8 +90,6 @@ This is a best effort list of supported signing formats and what they correspond
 - `autograph_apk`, `autograph_focus`, `autograph_apk_mozillaonline`: sign apk or aab files (with different keys)
 - `autograph_stage_aab`, `autograph_stage_apk`, `autograph_stage_apk_mozillaonline`, `autograph_stage_focus`: sign apk or aab files using stage autograph
 - `autograph_stage_apk_v3`, `autograph_stage_focus_v3`, `autograph_stage_apk_mozillaonline_v3`: sign apk or aab file using v3 signing
-- `autograph_authenticode`: [DEPRECATED] sign windows binary (PE, MSI, MSIX) using autograph and sha1 hash
-- `autograph_authenticode_stub`: [DEPRECATED] sign windows binary (PE, MSI, MSIX) using autograph and sha1 hash, and adding a dummy certificate in the chain for attribution purposes
 - `autograph_authenticode_sha2`: sign windows binary (PE, MSI, MSIX) using autograph and sha2 hash
 - `autograph_authenticode_sha2_stub`: sign windows binary (PE, MSI, MSIX) using autograph and sha2 hash, and adding a dummy certificate in the chain for attribution purposes
 - `autograph_authenticode_sha2_rfc3161_stub`: sign windows binary (PE, MSI, MSIX) using autograph and sha2 hash, adding a dummy certificate in the chain for attribution purposes, and using the rfc3161 protocol for timestamping

signingscript/docker.d/init_worker.sh

@@ -84,8 +84,6 @@ case $ENV in
   dev|fake-prod)
     case $COT_PRODUCT in
       firefox|thunderbird)
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTHENTICODE_CERT_PATH'
@@ -150,8 +148,6 @@ case $ENV in
         test_var_set 'AUTOGRAPH_XPI_PRIVILEGED_USERNAME'
         ;;
       mozillavpn)
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTHENTICODE_CERT_PATH'
@@ -161,8 +157,6 @@ case $ENV in
         test_var_set 'AUTHENTICODE_TIMESTAMP_STYLE'
         ;;
       adhoc)
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTOGRAPH_MAR_PASSWORD'
@@ -180,8 +174,6 @@ case $ENV in
   prod)
     case $COT_PRODUCT in
       firefox|thunderbird)
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTHENTICODE_CERT_PATH'
@@ -244,8 +236,6 @@ case $ENV in
         test_var_set 'AUTOGRAPH_XPI_PRIVILEGED_USERNAME'
         ;;
       mozillavpn)
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTOGRAPH_MOZILLAVPN_PASSWORD'
@@ -263,8 +253,6 @@ case $ENV in
         test_var_set 'AUTHENTICODE_CA_PATH_EV'
         test_var_set 'AUTHENTICODE_CA_TIMESTAMP_PATH'
         test_var_set 'AUTHENTICODE_TIMESTAMP_STYLE'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_PASSWORD'
-        test_var_set 'AUTOGRAPH_AUTHENTICODE_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME'
         test_var_set 'AUTOGRAPH_AUTHENTICODE_EV_PASSWORD'

signingscript/docker.d/passwords.yml

@@ -18,11 +18,6 @@ in:
       '(ENV == "dev" || ENV == "fake-prod") && (COT_PRODUCT == "firefox" || COT_PRODUCT == "thunderbird")':
         $let:
           firefox_and_thunderbird_nonprod_autograph:
-            - ["https://autograph-external.prod.autograph.services.mozaws.net",
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-               ["autograph_authenticode", "autograph_authenticode_stub"]
-            ]
             - ["https://autograph-external.prod.autograph.services.mozaws.net",
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -156,11 +151,6 @@ in:
       # dep-passwords-mozillavpn.json
       '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "mozillavpn"':
         '${scope_prefix[0]}cert:dep-signing':
-          - ["https://autograph-external.prod.autograph.services.mozaws.net",
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-             ["autograph_authenticode", "autograph_authenticode_stub"]
-          ]
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -182,11 +172,6 @@ in:
       # dep-passwords-adhoc.json
       '(ENV == "dev" || ENV == "fake-prod") && COT_PRODUCT == "adhoc"':
         '${scope_prefix[0]}cert:dep-signing':
-          - ["https://autograph-external.prod.autograph.services.mozaws.net",
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-             ["autograph_authenticode", "autograph_authenticode_stub"]
-          ]
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -219,12 +204,6 @@ in:
       'ENV == "prod" && (COT_PRODUCT == "firefox" || COT_PRODUCT == "thunderbird")':
         $let:
           firefox_and_thunderbird_prod_release_autograph:
-            - ["https://autograph-external.prod.autograph.services.mozaws.net",
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-               ["autograph_authenticode", "autograph_authenticode_stub"],
-               "202005"
-            ]
             - ["https://autograph-external.prod.autograph.services.mozaws.net",
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -257,12 +236,6 @@ in:
                ["autograph_langpack"]
             ]
           firefox_and_thunderbird_prod_nightly_autograph:
-            - ["https://autograph-external.prod.autograph.services.mozaws.net",
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-               {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-               ["autograph_authenticode", "autograph_authenticode_stub"],
-               "202005"
-            ]
             - ["https://autograph-external.prod.autograph.services.mozaws.net",
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
                {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -405,11 +378,6 @@ in:
       # passwords-mozillavpn.json
       'ENV == "prod" && COT_PRODUCT == "mozillavpn"':
         '${scope_prefix[0]}cert:release-signing':
-          - ["https://autograph-external.prod.autograph.services.mozaws.net",
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-             ["autograph_authenticode", "autograph_authenticode_stub"]
-          ]
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -436,12 +404,6 @@ in:
       # passwords-adhoc.json
       'ENV == "prod" && COT_PRODUCT == "adhoc"':
         '${scope_prefix[0]}cert:release-signing':
-          - ["https://autograph-external.prod.autograph.services.mozaws.net",
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-             ["autograph_authenticode", "autograph_authenticode_stub"],
-             "202005"
-          ]
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},
@@ -463,12 +425,6 @@ in:
              ["autograph_gpg"]
           ]
         '${scope_prefix[0]}cert:nightly-signing':
-          - ["https://autograph-external.prod.autograph.services.mozaws.net",
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_USERNAME"},
-             {"$eval": "AUTOGRAPH_AUTHENTICODE_PASSWORD"},
-             ["autograph_authenticode", "autograph_authenticode_stub"],
-             "202005"
-          ]
           - ["https://autograph-external.prod.autograph.services.mozaws.net",
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME"},
              {"$eval": "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD"},

signingscript/src/signingscript/sign.py

@@ -1386,10 +1386,7 @@ async def signer(digest, digest_algo):
 
     infile = orig_path
     outfile = orig_path + "-new"
-    if fmt in ["autograph_authenticode", "autograph_authenticode_stub"]:
-        digest_algo = "sha1"
-    else:
-        digest_algo = "sha256"
+    digest_algo = "sha256"
 
     timestampfile = context.config["authenticode_ca_timestamp"]
 

signingscript/src/signingscript/task.py

@@ -47,8 +47,6 @@
         "autograph_widevine": sign_widevine,
         "autograph_omnija": sign_omnija,
         "autograph_langpack": sign_xpi,
-        "autograph_authenticode": sign_authenticode,
-        "autograph_authenticode_stub": sign_authenticode,
         "autograph_authenticode_sha2": sign_authenticode,
         "autograph_authenticode_sha2_stub": sign_authenticode,
         "autograph_authenticode_sha2_rfc3161_stub": sign_authenticode,

signingscript/tests/data/autograph_server_test_config.yaml

@@ -128,7 +128,7 @@ signers:
     - id: test-authenticode
       type: genericrsa
       mode: pkcs15
-      hash: sha1
+      hash: sha256
       publickey: |
         -----BEGIN PUBLIC KEY-----
         MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApP3X87nO4LxwCxiIMYWB

signingscript/tests/example_server_config.json

@@ -7,6 +7,6 @@
   ],
   "project:releng:signing:cert:dep-signing": [
     ["https://127.0.0.3", "hawk_user", "hawk_secret", ["autograph_marsha384"]],
-    ["https://127.0.0.3", "hawk_user", "hawk_secret", ["autograph_authenticode"], "keyid"]
+    ["https://127.0.0.3", "hawk_user", "hawk_secret", ["autograph_authenticode_sha2"], "keyid"]
   ]
 }

signingscript/tests/integration/test_autograph.py

@@ -28,7 +28,7 @@
         ["http://localhost:5500", "alice", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_mar384"]],
         ["http://localhost:5500", "bob", "1234567890abcdefghijklmnopqrstuvwxyz1234567890abcd", ["autograph_focus"]],
         ["http://localhost:5500", "alice", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_hash_only_mar384"]],
-        ["http://localhost:5500", "charlie", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_authenticode"]],
+        ["http://localhost:5500", "charlie", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_authenticode_sha2"]],
     ]
 }
 
@@ -208,11 +208,11 @@ async def test_integration_autograph_authenticode(context, tmpdir):
     context.config["authenticode_timestamp_url"] = "https://example.com"
     context.autograph_configs = {
         "project:releng:signing:cert:dep-signing": [
-            Autograph(*["http://localhost:5500", "charlie", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_authenticode"]])
+            Autograph(*["http://localhost:5500", "charlie", "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmn", ["autograph_authenticode_sha2"]])
         ]
     }
     context.config["autograph_configs"] = _write_server_config(tmpdir)
     _copy_files_to_work_dir("windows.zip", context)
-    context.task = _craft_task(["windows.zip"], signing_format="autograph_authenticode")
+    context.task = _craft_task(["windows.zip"], signing_format="autograph_authenticode_sha2")
 
     await async_main(context)

signingscript/tests/test_config.py

@@ -60,8 +60,6 @@ def test_firefox_dev():
     context = {
         "COT_PRODUCT": "firefox",
         "ENV": "dev",
-        "AUTOGRAPH_AUTHENTICODE_USERNAME": "",
-        "AUTOGRAPH_AUTHENTICODE_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "",
         "AUTOGRAPH_MAR_USERNAME": "",
@@ -88,8 +86,6 @@ def test_thunderbird_fake_prod():
     context = {
         "COT_PRODUCT": "thunderbird",
         "ENV": "fake-prod",
-        "AUTOGRAPH_AUTHENTICODE_USERNAME": "",
-        "AUTOGRAPH_AUTHENTICODE_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "",
         "AUTOGRAPH_MAR_USERNAME": "",
@@ -147,8 +143,6 @@ def test_firefox_prod():
     context = {
         "COT_PRODUCT": "firefox",
         "ENV": "prod",
-        "AUTOGRAPH_AUTHENTICODE_USERNAME": "",
-        "AUTOGRAPH_AUTHENTICODE_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "",
         "AUTOGRAPH_MAR_RELEASE_USERNAME": "",
@@ -179,8 +173,6 @@ def test_thunderbird_prod():
     context = {
         "COT_PRODUCT": "thunderbird",
         "ENV": "prod",
-        "AUTOGRAPH_AUTHENTICODE_USERNAME": "",
-        "AUTOGRAPH_AUTHENTICODE_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD": "",
         "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME": "",
         "AUTOGRAPH_MAR_RELEASE_USERNAME": "",

signingscript/tests/test_dockerd.py

@@ -11,10 +11,8 @@
     for p in (
         "AUTOGRAPH_AUTHENTICODE_EV_PASSWORD",
         "AUTOGRAPH_AUTHENTICODE_EV_USERNAME",
-        "AUTOGRAPH_AUTHENTICODE_PASSWORD",
         "AUTOGRAPH_AUTHENTICODE_SHA2_PASSWORD",
         "AUTOGRAPH_AUTHENTICODE_SHA2_USERNAME",
-        "AUTOGRAPH_AUTHENTICODE_USERNAME",
         "AUTOGRAPH_FENIX_MOZILLA_ONLINE_PASSWORD",
         "AUTOGRAPH_FENIX_MOZILLA_ONLINE_USERNAME",
         "AUTOGRAPH_FENIX_PASSWORD",

signingscript/tests/test_script.py

@@ -130,7 +130,7 @@ async def test_async_main_apple_notarization_no_config(tmpdir, mocker):
 @pytest.mark.asyncio
 @pytest.mark.parametrize("use_comment", (True, False))
 async def test_async_main_autograph_authenticode(tmpdir, mocker, use_comment):
-    formats = ["autograph_authenticode"]
+    formats = ["autograph_authenticode_sha2"]
     mocker.patch.object(script, "copy_to_dir", new=noop_sync)
     await async_main_helper(tmpdir, mocker, formats, {}, "autograph", use_comment=use_comment)
 

signingscript/tests/test_sign.py

@@ -1034,7 +1034,7 @@ def load_manifest(*args, **kwargs):
 
 
 @pytest.mark.asyncio
-@pytest.mark.parametrize("fmt", ("autograph_authenticode", "autograph_authenticode_stub"))
+@pytest.mark.parametrize("fmt", ("autograph_authenticode_sha2", "autograph_authenticode_sha2_stub"))
 @pytest.mark.parametrize("use_comment", (True, False))
 async def test_authenticode_sign_zip(tmpdir, mocker, context, fmt, use_comment):
     context.config["authenticode_cert"] = os.path.join(TEST_DATA_DIR, "windows.crt")
@@ -1078,7 +1078,7 @@ def mocked_issigned(filename):
 
 
 @pytest.mark.asyncio
-@pytest.mark.parametrize("fmt", ("autograph_authenticode", "autograph_authenticode_stub"))
+@pytest.mark.parametrize("fmt", ("autograph_authenticode_sha2", "autograph_authenticode_sha2_stub"))
 @pytest.mark.parametrize("use_comment", (True, False))
 async def test_authenticode_sign_msi(tmpdir, mocker, context, fmt, use_comment):
     context.config["authenticode_cert"] = os.path.join(TEST_DATA_DIR, "windows.crt")
@@ -1099,7 +1099,7 @@ async def mocked_autograph(context, from_, fmt, keyid):
         return b""
 
     async def mocked_winsign(infile, outfile, digest_algo, certs, signer, cafile, comment=None, **kwargs):
-        assert digest_algo == "sha1"
+        assert digest_algo == "sha256"
         if not use_comment:
             assert comment is None
         else:
@@ -1140,7 +1140,7 @@ async def mocked_winsign(infile, outfile, *args, **kwargs):
 
     mocker.patch.object(winsign.sign, "sign_file", mocked_winsign)
     with pytest.raises(SigningScriptError):
-        await sign.sign_authenticode(context, test_file, "autograph_authenticode")
+        await sign.sign_authenticode(context, test_file, "autograph_authenticode_sha2")
 
 
 @pytest.mark.asyncio
@@ -1161,7 +1161,7 @@ async def mocked_winsign(infile, outfile, *args, **kwargs):
     mocker.patch.object(sign, "retry_async", new=fake_retry_async)
     mocker.patch.object(winsign.sign, "sign_file", mocked_winsign)
     with pytest.raises(SigningScriptError):
-        await sign.sign_authenticode(context, test_file, "autograph_authenticode")
+        await sign.sign_authenticode(context, test_file, "autograph_authenticode_sha2")
 
 
 @pytest.mark.asyncio
@@ -1189,7 +1189,7 @@ async def mocked_winsign(infile, outfile, digest_algo, certs, signer, cafile, **
     mocker.patch.object(winsign.sign, "sign_file", mocked_winsign)
 
     with pytest.raises(Exception):
-        await sign.sign_authenticode(context, test_file, "autograph_authenticode")
+        await sign.sign_authenticode(context, test_file, "autograph_authenticode_sha2")
 
     assert "BAD!" in caplog.text
 
@@ -1255,7 +1255,7 @@ async def mocked_winsign(infile, outfile, digest_algo, certs, signer, cafile, **
     mocker.patch.object(winsign.sign, "sign_file", mocked_winsign)
     mocker.patch.object(sign, "sign_hash_with_autograph", mocked_autograph)
 
-    result = await sign.sign_authenticode(context, test_file, "autograph_authenticode")
+    result = await sign.sign_authenticode(context, test_file, "autograph_authenticode_sha2")
     assert result == test_file
     assert os.path.exists(result)
 
@@ -1294,7 +1294,7 @@ async def mocked_winsign(infile, outfile, digest_algo, certs, signer, cafile, **
     mocker.patch.object(winsign.sign, "sign_file", mocked_winsign)
     mocker.patch.object(sign, "sign_hash_with_autograph", mocked_autograph)
 
-    result = await sign.sign_authenticode(context, test_file, f"autograph_authenticode:{keyid}")
+    result = await sign.sign_authenticode(context, test_file, f"autograph_authenticode_sha2:{keyid}")
     assert result == test_file
     assert os.path.exists(result)
 

signingscript/tests/test_task.py

@@ -149,14 +149,14 @@ def fake_log(context, new_files, *args):
         ("gpg", stask.sign_gpg),
         ("macapp", stask.sign_macapp),
         ("widevine", stask.sign_widevine),
-        ("autograph_authenticode", stask.sign_authenticode),
-        ("autograph_authenticode_stub", stask.sign_authenticode),
+        ("autograph_authenticode_sha2", stask.sign_authenticode),
+        ("autograph_authenticode_sha2_stub", stask.sign_authenticode),
         ("apple_notarization", stask.apple_notarize),
         ("default", stask.sign_file),
         # Key id cases
         ("autograph_hash_only_mar384:firefox_20190321_dev", stask.sign_mar384_with_autograph_hash),
-        ("autograph_authenticode:202005", stask.sign_authenticode),
-        ("autograph_authenticode_stub:202005", stask.sign_authenticode),
+        ("autograph_authenticode_sha2:202005", stask.sign_authenticode),
+        ("autograph_authenticode_sha2_stub:202005", stask.sign_authenticode),
         # XPI cases
         ("autograph_xpi", stask.sign_xpi),
         ("autograph_xpi_sha256_es256", stask.sign_xpi),
@@ -196,7 +196,11 @@ def test_build_filelist_dict_comment(context, task_defn_authenticode_comment):
         "public/build/firefox-52.0a1.en-US.win64.installer.msi",
     )
     expected = {
-        "public/build/firefox-52.0a1.en-US.win64.installer.msi": {"full_path": full_path, "formats": ["autograph_authenticode"], "comment": "Foo Installer"}
+        "public/build/firefox-52.0a1.en-US.win64.installer.msi": {
+            "full_path": full_path,
+            "formats": ["autograph_authenticode_sha2"],
+            "comment": "Foo Installer",
+        }
     }
     context.task = task_defn_authenticode_comment
 
@@ -206,7 +210,7 @@ def test_build_filelist_dict_comment(context, task_defn_authenticode_comment):
     assert "without an authenticode" in str(error.value)
 
     # coerce to authenticode
-    context.task["payload"]["upstreamArtifacts"][0]["formats"] = ["autograph_authenticode"]
+    context.task["payload"]["upstreamArtifacts"][0]["formats"] = ["autograph_authenticode_sha2"]
 
     # Still raises due to no msi
     with pytest.raises(TaskVerificationError) as error: