Bug 383928

Summary: Windows downloadable installer EXEs are signed only by insecure SHA1 digest algorithm
Product: [Applications] krita Reporter: Edmond Lacey <sibexozos>
Component: GeneralAssignee: Krita Bugs <krita-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: major CC: halla
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Microsoft Windows   
OS: Microsoft Windows   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Edmond Lacey 2017-08-23 19:50:51 UTC 
Files available from:
https://krita.org/en/download/krita-desktop/

and named:
krita-3.2.0-x86-setup.exe
krita-3.2.0-x64-setup.exe

are signed only with the SHA1 certificate belonging to Open Source Developer, Boudewijn Rempt.

Wikipedia claims that since 2010 "many organizations have recommended its replacement by SHA-2 or SHA-3" [https://en.wikipedia.org/wiki/SHA-1]

Most importantly, in February 2017 Google announced "the first practical technique for generating a collision" against SHA-1 [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html]

It's tough enough that krita.exe has no digital signature to depend upon.
Comment 1 Halla Rempt 2017-08-23 20:25:09 UTC 
Sorry, but this really isn't a bug. Together with KDE e.V. we're working to get a new certificate, but, basicallty, all this signing stuff is nonsense. I'm making these binary builds, and by gum, I wish someone else would spend their precious minutes on this earth on them.