Thunderbird 38.5.0 is now available / special notice

R Kent James kent at
Thu Dec 24 16:56:58 UTC 2015

On 12/23/2015 3:59 PM, John L. Jacobs wrote:
> I do have XP SP2 on my network but rarely even powered up. What I find 
> difficult to understand is your use of the word "deprecate" in the 
> context of MS and SHA1. In my experience, SHA1 has pretty much not be 
> used for quite a while in favor of SHA2 (SHA-256). Thuderbird (an old 
> version?) is on the XP machine, not being used, would update, data on 
> it has been irrelevant for a long time. Let me know what you want are 
> looking for.
> I read into this and other communications that TB is in someway going 
> to incorporate security certificates???
> ---
> John L Jacobs, Retired Network Engineer
> 4105 Primrose Way
> Napa, Ca 94558-1595
> Ph: 415-738-2550

The immediate issue is the signing of Mozilla code, which is necessary 
to prevent security warnings from appearing when Firefox or Thunderbird 
is installed. This month, the signing is being switched from SHA-1 to 
SHA-256, with that schedule forced up against a deadline by the upcoming 
deprecation of SHA-1 in modern Windows systems on 2016-01-01. The issue 
is complicated by the Mozilla installer, that is used for silent updates 
of Firefox and Thunderbird. That also had to be upgraded, and the whole 
thing has to be done in two steps. (Bit of a chicken and egg problem 
getting existing apps, signed with SHA-1, to recognize SHA-256 before 
updated versions, signed with SHA-256, could be released.).

The QA problem is quite tricky, as each version of Microsoft Windows has 
a slightly different set of handling of SHA-1 and SHA-256 certificates, 
plus it depends on both the system date in the client system, as well as 
the system date of the certificate-signing system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list