Switch to the new SHA256 certificate.

Switch to the new SHA256 signature in the codebase. Google LLC sha256 certificate with thumbprint "2673ea6cc23beffda49ac715b121544098a1284c", valid from 07-01-2021 to 07-10-2024.
google · Aug 9, 2021 · 8bb0325 · 8bb0325
1 parent e0a83e9
commit 8bb0325
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 16 deletions.
diff --git a/omaha/base/const_code_signing.h b/omaha/base/const_code_signing.h
@@ -37,13 +37,13 @@ const TCHAR* const kSha256CertificateSubjectName = _T("Google LLC");
 const TCHAR* const kCertificateThumbprint =
     _T("a3958ae522f3c54b878b20d7b0f63711e08666b2");
 const TCHAR* const kSha256CertificateThumbprint =
-    _T("cb7e84887f3c6015fe7edfb4f8f36df7dc10590e");
+    _T("2673ea6cc23beffda49ac715b121544098a1284c");
 
 // The SHA256 hash of the Omaha certificate RSA public key.
 const TCHAR* const kCertificatePublicKeyHash =
     _T("6cb128676c6d0b49d3e8918bd835888694333da7540a0994261c0ec0b3516f9d");
 const TCHAR* const kSha256CertificatePublicKeyHash =
-    _T("03e27c19d222043a8f0c64181c23c9339cc84a7ec4ebff8a19adb7caefb0c709");
+    _T("3e9d92dfb3a046d49f53bab836f387177ac1ec075e8e3dd306b7c1764432f276");
 
 // The hash of public keys that we pin the code signing certificates to.
 // For quick identification, the date and thumbprint of the certificates are
@@ -101,13 +101,13 @@ const TCHAR* const kPublicKeyHashes[] = {
     // serial=0c15be4a15bb0903c901b1d6c265302f
     // SHA1
     // Fingerprint=CB:7E:84:88:7F:3C:60:15:FE:7E:DF:B4:F8:F3:6D:F7:DC:10:59:0E
-    kSha256CertificatePublicKeyHash,
+    _T("03e27c19d222043a8f0c64181c23c9339cc84a7ec4ebff8a19adb7caefb0c709"),
 
     // Google LLC sha256 certificate valid from 07-01-2021 to 07-10-2024.
     // Issued by DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1.
     // thumbprint=2673ea6cc23beffda49ac715b121544098a1284c.
     // serial=0e4418e2dede36dd2974c3443afb5ce5.
-    _T("3e9d92dfb3a046d49f53bab836f387177ac1ec075e8e3dd306b7c1764432f276"),
+    kSha256CertificatePublicKeyHash,
 };
 
 }  // namespace omaha

diff --git a/omaha/base/signaturevalidator_unittest.cc b/omaha/base/signaturevalidator_unittest.cc
@@ -29,11 +29,6 @@ namespace {
 
 const TCHAR* const kTestCertificateSubjectName = _T("Google Inc (TEST)");
 
-const TCHAR* const kSha256CertificateThumbprint_Expires_07102024 =
-    _T("2673ea6cc23beffda49ac715b121544098a1284c");
-const TCHAR* const kSha256CertificatePublicKeyHash_Expires_07102024 =
-    _T("3e9d92dfb3a046d49f53bab836f387177ac1ec075e8e3dd306b7c1764432f276");
-
 bool VerifySigneeIs(const wchar_t* subject_name,
                     const wchar_t* signed_file) {
   std::vector<CString> subject;
@@ -76,17 +71,12 @@ INSTANTIATE_TEST_CASE_P(
             _T("unittest_support\\sha1_06aea76bac46a9e8cfe6d29e45aaf033.sys"),
             kSha1CertificateSubjectName, kCertificateThumbprint,
             kCertificatePublicKeyHash),
-        // Chrome certificate sha256 (11/06/2018 to 11/17/2021).
-        PathSubjectThumbprintHash(_T("unittest_support\\chrome_setup.exe"),
-                                  kSha256CertificateSubjectName,
-                                  kSha256CertificateThumbprint,
-                                  kSha256CertificatePublicKeyHash),
         // Google LLC sha256 certificate valid from 07-01-2021 to 07-10-2024.
         PathSubjectThumbprintHash(
             _T("unittest_support\\sha2_0e4418e2dede36dd2974c3443afb5ce5.msi"),
             kSha256CertificateSubjectName,
-            kSha256CertificateThumbprint_Expires_07102024,
-            kSha256CertificatePublicKeyHash_Expires_07102024)));
+            kSha256CertificateThumbprint,
+            kSha256CertificatePublicKeyHash)));
 
 TEST_P(CertInfoTest, CertInfo) {
   CString binary_full_path(app_util::GetCurrentModuleDirectory());