Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools: upgrade Windows digital signature to SHA256 #47206

Merged
merged 1 commit into from
Mar 25, 2023
Merged

tools: upgrade Windows digital signature to SHA256 #47206

merged 1 commit into from
Mar 25, 2023
+1 −1

Conversation

tniessen
Copy link
Member

signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate.

Technically, /fd certHash would be a better choice, but I don't know if it is widely supported.

@tniessen
tools: upgrade Windows digital signature to SHA256
8570c1e 
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.
@tniessen tniessen added windows Issues and PRs related to the Windows platform. build Issues and PRs related to build files or the CI. tools Issues and PRs related to the tools directory. security Issues and PRs related to security. labels Mar 21, 2023
@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Mar 21, 2023
@tniessen
Copy link
Member Author

cc @nodejs/build @nodejs/platform-windows

@tniessen tniessen mentioned this pull request Mar 21, 2023
Closed
ovflowd
ovflowd approved these changes Mar 21, 2023
View reviewed changes
Copy link
Member

@ovflowd ovflowd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not build, but looks good to me :)

@targos
Copy link
Member

targos commented Mar 22, 2023

/fd certHash was added to the documentation in 2020 so I guess it's not supported by VS2019.

@tniessen tniessen added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Mar 22, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 22, 2023
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot mentioned this pull request Mar 23, 2023
Open
33 tasks
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/50568/

@tniessen tniessen added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 25, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 25, 2023
@nodejs-github-bot nodejs-github-bot merged commit 6311de3 into nodejs:main Mar 25, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 6311de3

@RafaelGSS RafaelGSS mentioned this pull request Apr 3, 2023
Merged
RafaelGSS pushed a commit that referenced this pull request Apr 5, 2023
@tniessen @RafaelGSS
tools: upgrade Windows digital signature to SHA256
6206d3e 
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@RafaelGSS RafaelGSS mentioned this pull request Apr 6, 2023
Merged
RafaelGSS pushed a commit that referenced this pull request Apr 6, 2023
@tniessen @RafaelGSS
tools: upgrade Windows digital signature to SHA256
3ce6a64 
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
RafaelGSS pushed a commit that referenced this pull request Apr 7, 2023
@tniessen @RafaelGSS
tools: upgrade Windows digital signature to SHA256
def7e3d 
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
@tniessen @danielleadams
tools: upgrade Windows digital signature to SHA256
9781185 
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
@danielleadams danielleadams mentioned this pull request Jul 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lpinca lpinca lpinca approved these changes

@targos targos targos approved these changes

@ovflowd ovflowd ovflowd approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. build Issues and PRs related to build files or the CI. needs-ci PRs that need a full CI run. security Issues and PRs related to security. tools Issues and PRs related to the tools directory. windows Issues and PRs related to the Windows platform.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tniessen @targos @nodejs-github-bot @lpinca @ovflowd