-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools: upgrade Windows digital signature to SHA256 #47206
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported.
cc @nodejs/build @nodejs/platform-windows |
ovflowd
approved these changes
Mar 21, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not build, but looks good to me :)
targos
approved these changes
Mar 22, 2023
|
tniessen
added
author ready
PRs that have at least one approval, no pending requests for changes, and a CI started.
request-ci
Add this label to start a Jenkins CI on a PR.
labels
Mar 22, 2023
github-actions
bot
removed
the
request-ci
Add this label to start a Jenkins CI on a PR.
label
Mar 22, 2023
This comment was marked as outdated.
This comment was marked as outdated.
lpinca
approved these changes
Mar 22, 2023
33 tasks
tniessen
added
the
commit-queue
Add this label to land a pull request using GitHub Actions.
label
Mar 25, 2023
nodejs-github-bot
removed
the
commit-queue
Add this label to land a pull request using GitHub Actions.
label
Mar 25, 2023
Landed in 6311de3 |
RafaelGSS
pushed a commit
that referenced
this pull request
Apr 5, 2023
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: #47206 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Merged
RafaelGSS
pushed a commit
that referenced
this pull request
Apr 6, 2023
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: #47206 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
RafaelGSS
pushed a commit
that referenced
this pull request
Apr 7, 2023
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: #47206 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
danielleadams
pushed a commit
that referenced
this pull request
Jul 6, 2023
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: #47206 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
author ready
PRs that have at least one approval, no pending requests for changes, and a CI started.
build
Issues and PRs related to build files or the CI.
needs-ci
PRs that need a full CI run.
security
Issues and PRs related to security.
tools
Issues and PRs related to the tools directory.
windows
Issues and PRs related to the Windows platform.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate.
Technically,
/fd certHash
would be a better choice, but I don't know if it is widely supported.