All,
Having just done the release build for Tomcat 8.5, I was checking to
ensure that the various digital signatures were done properly on the
.exe files we produce as a part of that build.
I happened to check tomcat8.exe and it's got a sha1 signature instead of
a sha512 signature like the other .exe files we sign.
Is that intentional?
Those files appear to come from the commons-daemon project, and aren't
signed as a part of the release process. The signature on tomcat8.exe
for example (which is really prunsrc.exe) is Monday, January 18,
2021 7:49:06 AM.
Should we ask the commons-daemon project to roll a new release with
modern signatures on their .exe files? Or should we authenticate the
existing signature and replace it with a new sha512 one? Or should we
just ignore the discrepancy?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
