Opened 5 months ago

Last modified 5 weeks ago

#33172 new enhancement

Start using a maintained version of osslsigncode for our authenticode signing

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-sign, tbb-maint, TorBrowserTeam202004
Cc: Actual Points:
Parent ID: #33171 Points:
Reviewer: Sponsor:

Description

osslsigncode on SoureForge seems to be dead for a while now. It's worth switching to a maintained version, e.g. mtrojnar's one.

Child Tickets

Change History (5)

comment:1 Changed 5 months ago by gk

Note to self: we should go over the commits that landed since 2018 to figure out what changes and whether that looks good to us as a step 0.

comment:2 Changed 5 months ago by boklm

This sounds like a good idea. Especially since the old version of osslsigncode does not build with openssl 1.1:
https://sourceforge.net/p/osslsigncode/bugs/10/

comment:3 in reply to:  2 Changed 5 months ago by sysrqb

Keywords: TorBrowserTeam202004 added

Replying to boklm:

This sounds like a good idea. Especially since the old version of osslsigncode does not build with openssl 1.1:
https://sourceforge.net/p/osslsigncode/bugs/10/

In case anyone is wondering how we solved this, there is an available yolo patch (mentioned at the bottom of that ticket) for resolving the compile-time errors that is apparently sufficient for getting the timestamping functionality on Linux:
https://sourceforge.net/p/osslsigncode/patches/10/

I'm putting this on the roadmap for April, maybe we can find some time for it sooner than that.

comment:4 Changed 2 months ago by gk

We should at least open an issue for the osslsigncode verify weirdness in comment:17:ticket:29614.

comment:5 Changed 5 weeks ago by gk

Keywords: tbb-maint added
Note: See TracTickets for help on using tickets.