Signature of EXEs (dlls too?) are only SHA1

Summary

The signing service provides signed EXEs that are SHA1 signed (According to this bug report).

Is SHA256/512 signed certificates an option that users of CBI need to enable, or is this something that needs to be implemented, or is this even an thing?

Steps to reproduce

1. Downloaded the installer from https://www.eclipse.org/downloads/download.php?file=/oomph/epp/2022-09/R/eclipse-inst-jre-win64.exe (link from https://www.eclipse.org/downloads/packages/)
2. Right-click (presumably) on the exe and check security tab (screenshot from user's bug report):

What is the current bug behavior?

SHA1

What is the expected correct behavior?

SHA256?

Relevant logs and/or screenshots

Priority

• Urgent
• High
• Medium
• Low

Severity

• Blocker
• Major
• Normal
• Low

Impact

added IT-prioritymedium IT-severitynormal ~25796 team:security labels

assigned to @mbarbero

Note that this is true for all signed content, e.g., eclipse.exe:

We use osslsigncode to sign PE32 (.exe, .dll...). The version we use is 2.1.

We could probably upgrade to 2.5, default hash function is sha256 since 2.4.

I'll deploy a staging version with 2.5. Will you be able to test it?

I should be able to test it with EPP.

I assume I have to update the eclipse-winsigner-plugin parameter signerUrl here in EPP:

https://git.eclipse.org/r/plugins/gitiles/epp/org.eclipse.epp.packages/+/refs/heads/master/releng/org.eclipse.epp.config/parent/product/pom.xml#187

Please let me know if the above sounds correct and what the URL is when you are ready.

I can test it too...

Please try with https://cbi-staging.eclipse.org/authenticode/sign

See changes in PR https://github.com/eclipse-cbi/org.eclipse.cbi/pull/197

Looks good to me, and I can launch Eclipse fine:

I'll leave the test download I built on https://download.eclipse.org/technology/epp/staging/ for a few hours in case you want to have more of a look.

I built the EPP by adding -Dcbi.winsigner.signerUrl=https://cbi-staging.eclipse.org/authenticode/sign to the maven command line.

---

@emerks BTW the JustJ java, javaw and related dlls don't seem to be signed.

Yes it works for me as well:

@jograham

It's weird. Some things are signed:

But others appear to have the signature stripped because they were signed in the Temurin download. I would have expected them to simply be an unmodified copy...

@jograham

I've opened this for the JustJ signing issue:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=580861

I believe it's normal that the signatures are stripped by jlink from reading this:

https://github.com/corretto/corretto-11/issues/32

@mbarbero

When do you expect these changes to go live?

Change is live on production

That was fast! Thanks!!

I guess this can be closed now...

You're welcome. Closing

closed

mentioned in issue #2035 (closed)