by TIV73 » Sun Aug 01, 2021 4:13 am
Hi,
I was waiting for update 5.0.1 to replace MM4 as my main day-to-day music player (congratulations on the release!) and noticed that both the regular and debug installer are signed using sha1 which has been deprecated for https encryption and code signing by all major authorities (including
the issuer of the cert used by the MM5 installer) a couple of years ago and is not considered safe anymore.
Please note that the actual certificate itself already uses sha384, it's just applied to the installer using digest algorithm sha1. While that's not a immediate dealbreaker I probably wouldn't call it best practice.
Hi,
I was waiting for update 5.0.1 to replace MM4 as my main day-to-day music player (congratulations on the release!) and noticed that both the regular and debug installer are signed using sha1 which has been deprecated for https encryption and code signing by all major authorities (including [url=https://sectigo.com/knowledge-base/detail/Important-change-announcement-deprecation-of-SHA-1-1527076085906/kA01N000000zFKE]the issuer[/url] of the cert used by the MM5 installer) a couple of years ago and is not considered safe anymore.
Please note that the actual certificate itself already uses sha384, it's just applied to the installer using digest algorithm sha1. While that's not a immediate dealbreaker I probably wouldn't call it best practice.