https://bugs.kde.org/show_bug.cgi?id=383928
Bug ID: 383928
Summary: Windows downloadable installer EXEs are signed only by
insecure SHA1 digest algorithm
Product: krita
Version: unspecified
Platform: MS Windows
OS: MS Windows
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: general
Assignee: krita-bugs-n...@kde.org
Reporter: sibexo...@go2vpn.net
Target Milestone: ---
Files available from:
https://krita.org/en/download/krita-desktop/
and named:
krita-3.2.0-x86-setup.exe
krita-3.2.0-x64-setup.exe
are signed only with the SHA1 certificate belonging to Open Source Developer,
Boudewijn Rempt.
Wikipedia claims that since 2010 "many organizations have recommended its
replacement by SHA-2 or SHA-3" [https://en.wikipedia.org/wiki/SHA-1]
Most importantly, in February 2017 Google announced "the first practical
technique for generating a collision" against SHA-1
[https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html]
It's tough enough that krita.exe has no digital signature to depend upon.
--
You are receiving this mail because:
You are watching all bug changes.
