Dual-sign the installers with SHA-1 and SHA-2

[dscho]

SHA-1 is deprecated, we should use SHA-2 (and several browsers now consider SHA-1 signed executables as if they were unsigned). But Vista and pre-2008 only accept SHA-1.

Pointed out by Sunny Gakhar.

[PhilipOakley]

I understand that getting a sha-2 cert for signing is costly, so it may be some time before a full sha-2 signing can happen.

I was thinking that it may be worth having a note about the issue "Newer browers may issue a signature warning; check using our sha1 certificate" on the download web site(s).

While the main G4W site git-for-windows.github.io is under local control, the more commonly used site for download is git-scm.com.

Would it be worth (me) attempting to add a note to the G4W site, and perhaps a more involved change to git-scm? Or does the hassle of updating the git-scm mean that the effort would be largely nugatory.

[shiftkey]

I'm not sure how this is progressing @dscho but I'll drop some notes in here about our recent adventures with this and GitHub Desktop:

• we had an uptick in reports mid-January when Smartscreen (and IE11 where SmartScreen isn't available) reported that our installer was "invalid or corrupt"
• the changes are documented here and this came into effect from January 1 as the relevant Windows Update propagated out to users - I don't see a mention of timestamping in the release script but maybe you're doing this already.
• an installer signed with a SHA-1 certificate and timestamped before 2016-01-01 will be trusted for a bit longer, but because we didn't timestamp our files we got caught up in this.
• as mentioned about, dual-signing the installer is necessary for pre-Windows 7 releases as they won't get SHA-2 support through Windows Update

[dscho]

I am pretty confident that I addressed this ticket through git-for-windows/build-extra@5f321a4 and the next release will show that it is fixed.

[dscho]

Just as a follow-up: Git 2.7.0(2) is dual-signed and therefore addresses this ticket.