Skip to content

Signature of EXEs (dlls too?) are only SHA1

Summary

The signing service provides signed EXEs that are SHA1 signed (According to this bug report).

Is SHA256/512 signed certificates an option that users of CBI need to enable, or is this something that needs to be implemented, or is this even an thing?

Steps to reproduce

  1. Downloaded the installer from https://www.eclipse.org/downloads/download.php?file=/oomph/epp/2022-09/R/eclipse-inst-jre-win64.exe (link from https://www.eclipse.org/downloads/packages/)
  2. Right-click (presumably) on the exe and check security tab (screenshot from user's bug report):

image

What is the current bug behavior?

SHA1

What is the expected correct behavior?

SHA256?

Relevant logs and/or screenshots

Priority

  • Urgent
  • High
  • Medium
  • Low

Severity

  • Blocker
  • Major
  • Normal
  • Low

Impact

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent