portal entry

<p>I’d like to add two points of clarification here:</p><p>First, it’s worth mentioning also that the Adobe CF Docker images for CF2018 and 2016 were updated today as well (<a href="https://bintray.com/eaps/coldfusion/cf%3Acoldfusion" rel="nofollow">https://bintray.com/eaps/coldfusion/cf%3Acoldfusion</a>).</p><p>Second, if you read <a href="https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-10.html" rel="nofollow">the technote for the update</a> (not <a href="https://helpx.adobe.com/security/products/coldfusion/apsb20-43.html" rel="nofollow">the security bulletin</a>), you will see a new admonition to delete any "CAR files" once used (this CAR mechanism is a feature to export admin settings from one CF instance to another).  I can offer some clarification on that new admonition.</p><p>And in fact, I started to write it here but it became too lengthy and I will create a blog post instead. That may also help some become aware of the issue who would not see this comment. When I have created it, I will add a link to it here.</p>

Comment by Charlie Arehart

<p>Problem with the 32-bit add-on installer download for CF 2016:</p><p>ColdFusion_2016_Addon_win.exe does not have a digital signature.</p>

Comment by Legorol San

Hi, Let me verify this. -Priyank

Comment by Priyank Shrivastava

I'd be curious to hear, Legorol (and/or Priyank), how one would use such a signature if there was one. Of course, I realize that the CF updates download mechanism in the CF Admin DOES use a signature verification (which is NOT used if one just downloads the update jar files manually). But since the add-on installer files would by their nature be run outside of the CF Admin (meant as they are to add functionality on a server that might not even HAVE CF installed), I am just curious how you would have used such a digital signature if there was one. Is there perhaps some tool to help with that? I see none mention on <a href="https://www.adobe.com/support/coldfusion/downloads.html#cf2016builderdevtools" rel="nofollow">the page where one would download that installer</a>. My question is sincere. No snarkiness intended. :-)

Comment by Charlie Arehart

Charlie, very good question and I'll be happy to elaborate, especially because the answer is not specific to ColdFusion and it's good to be generally aware of it. Please excuse me if anything in this answer is obvious to you, I'm addressing it to a general audience in case someone else reads this. In Windows, an executable (.exe) file can have a digital signature, or more precisely a code signing certificate, embedded as part of the file itself. This allows the operating system and other applications to automatically verify the authenticity and integrity of the file. Users can also manually verify the digital signature using Windows features, without using any additional tools. When a user tries to run an executable that does not have a signature, especially for setup/installer files, they get a warning prompt in Windows. To see if an executable file has a digital signature and to verify it manually, navigate to the executable in File Explorer, and open its Properties (e.g. with right-click > Properties). If it has a digital signature, then a Digital Signatures tab is present with various useful information. Select an entry in the Signature list, and click the Details button. This gives additional information about the specific signature, verifies it and shows a message "This digital signature is OK", if it is the case. This is at least as strong a verification as checking a hash of the file (e.g. SHA-256) against a known value. It is common practice (and indeed very much recommended) that software developers attach a digital signature to executables that are shipped to end-users, especially for setup/installer files. This has many advantages in addition to being able to manually verify a downloaded file. For example, anti-virus software is typically much more strict with executables that don't have a signature. The signature, or more precisely the code signing certificate, uses standard Public Key Infrastructure. The certificate is counter-signed by a certificate authority in the same way as an SSL certificate. The operating system verifies the authenticity of the certificate using a certificate chain up to the trusted root certificates installed on the system, in the same way as it does for an SSL certificate. ColdFusion installers have included a digital signature at least as far back as CF 10 (which is the oldest one I have access to). This applies to all additional downloads as well, e.g. API manager and add-on services installers.

Comment by Legorol San

Thanks for all that. I was clearly not aware. :) I guess since the cf installers have always had them, I'd never come across this. As for other software, I suppose this may explain why I've seen those "don't run" errors in some installers. Since I always trusted where I've gotten them, I didn't press to find that this was perhaps the explanation. Again, Thanks for informing me and for pressing Adobe to resolve this.

Comment by Charlie Arehart

Are there any details on what was changed in the add-on installers? I don't see that in the tech notes — only that the PMT components of the CF server was updated.

Comment by brian.klaas

Brian, The add-ons contain the same security fix that are present in the update jars for both the versions. Thanks.

Comment by SauravGhosh

Just a note that the Java 8.261 JDK files are not linked properly (file not found) on your website <a href="https://www.adobe.com/support/coldfusion/downloads.html?1#additionalThirdPartyInstallers" rel="nofollow">https://www.adobe.com/support/coldfusion/downloads.html?1#additionalThirdPartyInstallers</a> in particular Java 8.261 windows64 exe file and also the others as well <a href="http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u261/jdk-8u261%20-windows-x64.exe" rel="nofollow">http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u261/jdk-8u261%20-windows-x64.exe</a> MRC  

Comment by Michael Charbonneau

I am working with team to get the links to work. Please stand by.

Comment by Priyank Shrivastava

still not working The requested URL /pub/coldfusion/java/java8/JDK8u261/jdk-8u261-windows-x64.exe was not found on this server.

Comment by Michael Charbonneau

Michael, I can confirm what you're reporting. All the downloads for the Java 8 update 261 (jdk's and jre's) do fail with "not found" (not just that Windows 64-bit one).  And FWIW, the links for Java 11 update 8 (which was also new last week) DO work. And I have compared the URLs to the 251 update links (which do work) and it seems the URLs for 261 are "right", so it must simply be that the files are not there. (There's a problem with the first two jdk links for 261, and it's true for 251 as well. I will create a new note, so that it stands out from this simply "confirmation" and so that Adobe might attend to it.)

Comment by Charlie Arehart

Adobe folks, there are some additional problems on the Java downloads page (beyond those mentioned by Michael and others in other comments here). Please note that the first two jdk links for updates 261 and 251 mistakenly refer to "241" in their links: http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.rpm http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.tar.gz and http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.rpm http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.tar.gz

Comment by Charlie Arehart