On 25/01/2021 15:04, Christopher Schultz wrote: > Mark, > > On 1/24/21 04:44, ma...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git repository. >> >> markt pushed a commit to branch master >> in repository https://gitbox.apache.org/repos/asf/tomcat.git >> >> >> The following commit(s) were added to refs/heads/master by this push: >> new 7bb9eec Ensure Windows signing uses sha256 hash >> 7bb9eec is described below >> >> commit 7bb9eeced9522058796c3dfdc759e3f5eedb258d >> Author: Mark Thomas <ma...@apache.org> >> AuthorDate: Sun Jan 24 09:42:06 2021 +0000 >> >> Ensure Windows signing uses sha256 hash >> --- >> build.xml | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/build.xml b/build.xml >> index 32142c8..be0f1da 100644 >> --- a/build.xml >> +++ b/build.xml >> @@ -2575,6 +2575,8 @@ skip.installer property in build.properties" /> >> <arg value="sign"/> >> <arg value="/sha1"/> >> <arg value="${codesigning.certificate.thumbprint}"/> >> + <arg value="/fd"/> >> + <arg value="sha256"/> > > I see there is a /sha1 option on the command as well. Does that mean > that SHA1 is also being performed?
No. > Is it required? Yes. It is how we ID the certificate /key to sign with. > We abandoned SHA-1 (and SHA-256 for that matter) for the signatures we > put on our web sites some time ago. Is it possible to use SHA-512 for > these signatures as well? A quick hunt around the internet suggests using SHA-512 signatures should be possible. However, that was with a local key. The DigiCert signing using a custom library to access the keys remotely. Let me run a test... Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
