Project

General

Profile

Task #2139

renew code signing cert for Windows

Added by Christian Lohmaier almost 2 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Target version:
Team - Recurring
Start date:
Due date:
2019-05-02
% Done:

0%

Estimated time:

Description

Due to StartCom's validility being questioned (at least in Browser), look for alternatives. (current cert is valid until end of May 2018)

Note: We only needed an Extended Validility cert from StartCom, because their regular code-signing cert didn't support the corresponding flag in the cert.
As we don't do hardware drivers or kernel modules, we're fine with an Authenticode/Multi Purpose certificate.

The typical vendors come to mind:
Thawte, Symantec/Verisign, DigiCert

Price is around 200-250USD/year, depending on validation period (up to three years)

https://www.sslshopper.com/microsoft-authenticode-certificates.html
has a small (and slightly outdated) comparison, also includes GoDaddy

Other vendors are GlobalSign and Comodo.

cert_request_2017.req.asc (3.61 KB) cert_request_2017.req.asc signing request Christian Lohmaier, 2017-04-11 12:17

History

#1 Updated by Florian Effenberger almost 2 years ago

  • Target version set to Q1/2017

#2 Updated by Christian Lohmaier over 1 year ago

Symantec messed up just recently, issuing a bunch of testcertificates second strike for them, so leaning towards digiCert at the moment.

#3 Updated by Florian Effenberger over 1 year ago

Is digicert the way to go now, shall I proceed with them, or do you do further research?

#5 Updated by Christian Lohmaier over 1 year ago

go with digicert I'd say. I'll create corresponding certificate signing request after reading their fine print

#6 Updated by Christian Lohmaier over 1 year ago

signing request with:
CN = www.documentfoundation.org
C = DE
O = The Document Foundation
S = Berlin
L = Berlin
STREET = Kurf├╝rstendamm 188
E =
OU = LibreOffice Build Team

(and of course with "Enhanced Key Usage: Code Signing" and no Lifetime Signing (i.e. valid after cert expires). Also added Time Stamping and Microsoft Time Stamping like with the StartCom one in the past, sha256RSA, 4096bit keysize)

reassing to floeff for the digicert paperwork)

#7 Updated by Florian Effenberger over 1 year ago

  • Target version changed from Q1/2017 to Q2/2017

#8 Updated by Florian Effenberger over 1 year ago

  • Status changed from New to In Progress

Sorry, didn't get a hand on it before my vacation, will look into things afterwards

#9 Updated by Florian Effenberger over 1 year ago

  • Assignee changed from Florian Effenberger to Christian Lohmaier

Kicked the process off, but had no option to upload the CSR so far
Right now validation is taking process

I'm listed as contact for the administrative purposes, you are listed as technical contact who will also receive the certificate

#10 Updated by Florian Effenberger over 1 year ago

  • Status changed from In Progress to Closed

#11 Updated by Florian Effenberger over 1 year ago

  • Due date set to 2018-08-01
  • Status changed from Closed to In Progress
  • Target version changed from Q2/2017 to Recurring

Certificate expires August 2018

#12 Updated by Christian Lohmaier over 1 year ago

  • Subject changed from get new code signing cert for Windows to renew code signing cert for Windows
  • Status changed from In Progress to New
  • Start date set to 2018-05-01

three month advance notice is enough I'd say

#13 Updated by Florian Effenberger 8 months ago

  • Due date changed from 2018-08-01 to 2018-05-01
  • Start date deleted (2018-05-01)

Agreed - but to make it better visible, let's set due date to May 1, so we can have it in the ticket list accordingly
Start date is only shown in ticket details and not relevant for sorting ;-)

#14 Updated by Florian Effenberger 6 months ago

Cloph, can you have a look at the formalities over the next days? I.e. what is required from my side wrt. proof and how to handle things with the private key. If we can recreate the private key, that IMHO can't hurt, but final call is yours of course

#15 Updated by Florian Effenberger 4 months ago

  • Due date changed from 2018-05-01 to 2019-05-02

#16 Updated by Christian Lohmaier 4 months ago

for future reference: no new CSR is needed, hitting renew cert button and having payment details ready is all that's needed. After processing we get a link to install the cert into browser / export it from there to add to windows.
No problems observed with the renewed cert/also already distributed to Xisco, so sleeping til next year.

Also available in: Atom PDF