Bug 383928 - Windows downloadable installer EXEs are signed only by insecure SHA1 digest algorithm
Summary: Windows downloadable installer EXEs are signed only by insecure SHA1 digest a...
Status: RESOLVED NOT A BUG
Alias: None
Product: krita
Classification: Applications
Component: General (show other bugs)
Version: unspecified
Platform: Microsoft Windows Microsoft Windows
: NOR major
Target Milestone: ---
Assignee: Krita Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-23 19:50 UTC by Edmond Lacey
Modified: 2017-08-23 20:25 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Edmond Lacey 2017-08-23 19:50:51 UTC 
Files available from:
https://krita.org/en/download/krita-desktop/

and named:
krita-3.2.0-x86-setup.exe
krita-3.2.0-x64-setup.exe

are signed only with the SHA1 certificate belonging to Open Source Developer, Boudewijn Rempt.

Wikipedia claims that since 2010 "many organizations have recommended its replacement by SHA-2 or SHA-3" [https://en.wikipedia.org/wiki/SHA-1]

Most importantly, in February 2017 Google announced "the first practical technique for generating a collision" against SHA-1 [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html]

It's tough enough that krita.exe has no digital signature to depend upon.
Comment 1 Halla Rempt 2017-08-23 20:25:09 UTC 
Sorry, but this really isn't a bug. Together with KDE e.V. we're working to get a new certificate, but, basicallty, all this signing stuff is nonsense. I'm making these binary builds, and by gum, I wish someone else would spend their precious minutes on this earth on them.