Code signing algorithm update

Question

Code signing algorithm update

cgravill opened this issue 7 years ago · 3 comments

Thanks for building the library, it’s been really useful.

I recently updated to v0.18 in some of our tools. They’ve been security flagged by automated tools for review due to the SHA-1 signing on mathnet symbolics.

I checked, and it looks like the signtool.exe being used can do more secure hashing algorithms e.g. one of the SHA-2 with the /fd flag:
https://msdn.microsoft.com/en-us/library/windows/desktop/jj835835(v=vs.85).aspx

Is it possible to upgrade? It looks to work but I don’t have the corresponding certificate to confirm.

Answer 1 · 2017-12-14T07:39:53.000Z

Thanks for the hint - I'll verify (and do a patch release if it works)!

Answer 2 · 2017-12-23T18:52:15.000Z

I've just released v0.18.1, which is exactly like v0.18.0 but uses SHA2-256 instead of SHA1 for the code signing. Thanks for the hint, SHA1 has indeed been deprecated for code signing purposes for quite a while.

Could you please verify whether it now passes your security tool?

If it passes, I'll update the other Math.NET projects the same way.

Answer 3 · 2018-01-09T12:21:05.000Z

Thanks, that's excellent. I can confirm the automated security tools pass when I updated Symbolics to v0.18.1

Much appreciated.