Use SHA-256 algorithm for Windows timestamping
We switched to using SHA-256 for the authenticode signature but we should use that hash algo for the timestamp as well (currently that's still SHA-1)
Activity
Trac:
Parent Ticket: #33168 (moved)
Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.
-
Replying to gk:
Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.
Unfortunately, this did not work. I'll need to look again at the code and our patch do decouple the signing from the timestamping to figure out what goes wrong here.
-
Gonna do this while dealing with the new authenticode cert.
Trac:
Keywords: GeorgKoppen201907 deleted, GeorgKoppen202004, tbb-sign added
Cc: N/A to tbb-team
Parent: N/A to #33168 (moved)
Owner: tbb-team to gk
Status: new to assigned -
Replying to gk:
Not to self: we likely need to adapt my patch for
osslsigncodeso that the-hoption is available for theaddcommand as well.Yes, that is needed (among other things). It took me longer to figure this issue out because I got confused. While
osslsigncode verifyshows the certs in the SHA-1 Authenticode scenario it does not show them when switching to RFC 3161 mode with SHA-256 which sent me digging into wrong direction. Not sure if that's anosslsigncodebug or not.Either way, one can extract the signature with
osslsigncode extract-signatureand then inspect the nitty-gritty details withopenssl pkcs7and the SHA-256 timestamp is visible. I uploaded a test file for further inspection if needed:https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe.asc
bug_29614(https://gitweb.torproject.org/user/gk/tor-browser-spec.git/commit/?h=bug_29614&id=26d833f346d9d7bf795fe1cec819555595d739f1) in my publictor-browser-specrepo contains the updated documentation/patch.Trac:
Keywords: TorBrowserTeam201907 deleted, TorBrowserTeam202004R added
Status: assigned to needs_review Works on Windows 7 and later. Note: besides changing
SHA-1toSHA-256, you also changeAuthenticode timestampingtoRFC 3161 timestamping(see https://sectigo.com/resources/time-stamping-server).Okay, we're making progress on this. After misreading comment:17, gk walked me through the details of this process.
For comparison, when using Authenticode Timestamping (with SHA-1),
osslsigncode verifyoutput something like:$ osslsigncode verify torbrowser-install-win64-9.5a12_cs.exeSignature verification: ok Number of signers: 1 Signer #0: Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc. Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Serial : 0F622EF31D0F1EF94E520DBD7A43E58C Number of certificates: 4 Cert #0: Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Serial : 03F1B4E15F3A82F1149678B3D7D8475C ------------------ Cert #1: Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc. Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Serial : 0F622EF31D0F1EF94E520DBD7A43E58C ------------------ Cert #2: Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1 Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA Serial : 06FDF9039603ADEA000AEB3F27BBBA1B ------------------ Cert #3: Subject: /C=US/O=DigiCert/CN=DigiCert Timestamp Responder Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1 Serial : 03019A023AFF58B16BD6D5EAE617F066Now, with RFC 3161 Timestamping (using any hashing algorithm, but in this case using SHA-256),
osslsigncode verifyonly prints the code signing certificates (as gk described). This makes sense, because the RFC 2161 timestamp is appended onto the pkcs7 structure embedded in the PE file, and timestamping does not result in a new and independent cert chain.Signature verification: ok Number of signers: 1 Signer #0: Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc. Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Serial : 0F622EF31D0F1EF94E520DBD7A43E58C Number of certificates: 2 Cert #0: Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Serial : 03F1B4E15F3A82F1149678B3D7D8475C ------------------ Cert #1: Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc. Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2) Serial : 0F622EF31D0F1EF94E520DBD7A43E58C SucceededUsing
openssl pkcs7, as gk described, we can see the asn.1 object appended within the unauthenticated portion. First, we must extract the signatures from the file, then we can parse the resulting pkcs7 object:$ osslsigncode extract-signature -pem -in torbrowser-install-win64-9.5a12_cs.exe -out torbrowser-install-win64-9.5a12_cs.exe.sigs $ openssl pkcs7 -print -in torbrowser-install-win64-9.5a12_cs.exe.sigsunauth_attr: object: undefined (1.3.6.1.4.1.311.3.3.1) set: SEQUENCE: 0:d=0 hl=4 l=3761 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 15:d=1 hl=4 l=3746 cons: cont [ 0 ] 19:d=2 hl=4 l=3742 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :03 26:d=3 hl=2 l= 15 cons: SET 28:d=4 hl=2 l= 13 cons: SEQUENCE 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 41:d=5 hl=2 l= 0 prim: NULL 43:d=3 hl=2 l= 120 cons: SEQUENCE 45:d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo [snip] 282:d=8 hl=2 l= 47 cons: SEQUENCE 284:d=9 hl=2 l= 3 prim: OBJECT :commonName 289:d=9 hl=2 l= 40 prim: PRINTABLESTRING :DigiCert SHA2 Assured ID Timestamping CA 331:d=6 hl=2 l= 30 cons: SEQUENCE 333:d=7 hl=2 l= 13 prim: UTCTIME :191001000000Z 348:d=7 hl=2 l= 13 prim: UTCTIME :301017000000Z 363:d=6 hl=2 l= 76 cons: SEQUENCE 365:d=7 hl=2 l= 11 cons: SET 367:d=8 hl=2 l= 9 cons: SEQUENCE 369:d=9 hl=2 l= 3 prim: OBJECT :countryName 374:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 378:d=7 hl=2 l= 23 cons: SET 380:d=8 hl=2 l= 21 cons: SEQUENCE 382:d=9 hl=2 l= 3 prim: OBJECT :organizationName 387:d=9 hl=2 l= 14 prim: PRINTABLESTRING :DigiCert, Inc. 403:d=7 hl=2 l= 36 cons: SET 405:d=8 hl=2 l= 34 cons: SEQUENCE 407:d=9 hl=2 l= 3 prim: OBJECT :commonName 412:d=9 hl=2 l= 27 prim: PRINTABLESTRING :TIMESTAMP-SHA256-2019-10-15 [snip]Okay, all of the installers for Windows were timestamped using SHA-256 in 9.5a12.
I merged the spec patch with commit
f07e8109ef72e895fd87b83413743828cfa180cc.I think we're done here. Thanks for figuring this out, gk!
Trac:
Resolution: N/A to fixed
Status: needs_review to closed
Keywords: tbb-8.5 deleted, tbb-9.5a12 addedmentioned in issue #33168 (moved)