Project

General

Profile

Task #2139

renew code signing cert for Windows

Added by Christian Lohmaier 11 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Target version:
Team - Recurring
Start date:
2018-05-01
Due date:
2018-08-01
% Done:

0%

Estimated time:

Description

Due to StartCom's validility being questioned (at least in Browser), look for alternatives. (current cert is valid until end of May 2018)

Note: We only needed an Extended Validility cert from StartCom, because their regular code-signing cert didn't support the corresponding flag in the cert.
As we don't do hardware drivers or kernel modules, we're fine with an Authenticode/Multi Purpose certificate.

The typical vendors come to mind:
Thawte, Symantec/Verisign, DigiCert

Price is around 200-250USD/year, depending on validation period (up to three years)

https://www.sslshopper.com/microsoft-authenticode-certificates.html
has a small (and slightly outdated) comparison, also includes GoDaddy

Other vendors are GlobalSign and Comodo.

cert_request_2017.req.asc (3.61 KB) cert_request_2017.req.asc signing request Christian Lohmaier, 2017-04-11 12:17

History

#1 Updated by Florian Effenberger 11 months ago

  • Target version set to Q1/2017

#2 Updated by Christian Lohmaier 11 months ago

Symantec messed up just recently, issuing a bunch of testcertificates second strike for them, so leaning towards digiCert at the moment.

#3 Updated by Florian Effenberger 10 months ago

Is digicert the way to go now, shall I proceed with them, or do you do further research?

#5 Updated by Christian Lohmaier 10 months ago

go with digicert I'd say. I'll create corresponding certificate signing request after reading their fine print

#6 Updated by Christian Lohmaier 8 months ago

signing request with:
CN = www.documentfoundation.org
C = DE
O = The Document Foundation
S = Berlin
L = Berlin
STREET = Kurf├╝rstendamm 188
E =
OU = LibreOffice Build Team

(and of course with "Enhanced Key Usage: Code Signing" and no Lifetime Signing (i.e. valid after cert expires). Also added Time Stamping and Microsoft Time Stamping like with the StartCom one in the past, sha256RSA, 4096bit keysize)

reassing to floeff for the digicert paperwork)

#7 Updated by Florian Effenberger 8 months ago

  • Target version changed from Q1/2017 to Q2/2017

#8 Updated by Florian Effenberger 8 months ago

  • Status changed from New to In Progress

Sorry, didn't get a hand on it before my vacation, will look into things afterwards

#9 Updated by Florian Effenberger 7 months ago

  • Assignee changed from Florian Effenberger to Christian Lohmaier

Kicked the process off, but had no option to upload the CSR so far
Right now validation is taking process

I'm listed as contact for the administrative purposes, you are listed as technical contact who will also receive the certificate

#10 Updated by Florian Effenberger 7 months ago

  • Status changed from In Progress to Closed

#11 Updated by Florian Effenberger 7 months ago

  • Due date set to 2018-08-01
  • Status changed from Closed to In Progress
  • Target version changed from Q2/2017 to Recurring

Certificate expires August 2018

#12 Updated by Christian Lohmaier 6 months ago

  • Subject changed from get new code signing cert for Windows to renew code signing cert for Windows
  • Status changed from In Progress to New
  • Start date set to 2018-05-01

three month advance notice is enough I'd say

Also available in: Atom PDF