https://bz.apache.org/bugzilla/show_bug.cgi?id=62696
Bug ID: 62696
Summary: Consider use of sha256 for signing of .exe files of
Tomcat installer.
Product: Tomcat 9
Version: 9.0.x
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Packaging
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
Target Milestone: -----
Reviewing release candidates of Tomcat 8.5.34, 9.0.11,
apache-tomcat-8.5.34.exe
apache-tomcat-9.0.12.exe
are both signed with sha1 signatures.
I mean the following:
In Windows: open File Explorer, right-click on the file to open a menu, click
"Properties" item in the menu. In the file properties dialog see "Signatures"
tab. The file signature is listed there as "sha1".
An example of a OSS installer that has sha256 signature, "Git for Windows":
https://github.com/git-for-windows/git/releases/tag/v2.18.0.windows.1
-> PortableGit-2.18.0-64-bit.7z.exe
An older version of "Git for Windows" had both sha1 and sha256 signatures:
https://github.com/git-for-windows/git/releases/tag/v2.12.0.windows.1
-> PortableGit-2.12.0-64-bit.7z.exe
I first mentioned this issue 1,5 years ago. I am filing it into Bugzilla, as
release signing policy at ASF has changed recently to avoid sha-1.
https://markmail.org/message/pa4dntjqx5rwcmwb
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
