Task #961
closedget new signing-certifcate for windows
0%
Description
See bug https://bugs.freedesktop.org/show_bug.cgi?id=86780
The StartCom Class 2 certificates explicitly disable the timestamping method to ensure that signatures are still valid after the certificate has expired.
In other words, the old builds signed with the old certificate (before April '14) do no longer satisfy Windows's signature checking (all affected codelines are already EOL, and there's nothing to be done after the fact anyway)
The current signing certificate expires April '16 - and 4.4.x will already be EOL till then (Nov '15).
The question is whether to pick a Extended Validation certificate without that restriction or whether to stick with the Class 2 certificates with the premise that the expired builds are unsupported anyway...
Low Prio, as only relevant for 4.5 that has EOL/final release around expiration date.
Updated by Florian Effenberger over 9 years ago
I'm not sure if I'm the right assignee ;-)
Can you raise this in the ESC call, and poke me ~6 weeks before such an
EV certificate is needed? Then I take care of it
Updated by Christian Lohmaier over 9 years ago
- Due date set to 2015-01-11
ESC thinks it's worth the money compared to having to deal with anxious users/support, etc.
To not run into problems with 4.5.x line being affected by the certificate switch, the new certificate should be available before April'15
Updated by Florian Effenberger over 9 years ago
Mailed StartSSL as three details are unknown to me on their site:
(1) Can EV certificates be issued with the organizational details, or will they always carry the personal data?
(2) Do you offer EV certificates for code signing?
(3) When I do an EV validation, can this account in the future only create EV certificates, or do I have a choice still? I'd like to keep the option of wildcard certificates for websites, which only works with non-EV certificates, I think.
Updated by Florian Effenberger over 9 years ago
All without problems, now preparing the paperwork, which requires some time
Updated by Florian Effenberger about 9 years ago
- Status changed from New to In Progress
Request for EV SSL certificate filed now after having compiled all documents, now waiting for their feedback
Updated by Florian Effenberger about 9 years ago
- Project changed from Infrastructure to Release Engineering
- Subject changed from get new signing-certifcate for windows? to get new signing-certifcate for windows
- Due date deleted (
2015-01-11) - Assignee changed from Florian Effenberger to Christian Lohmaier
- Priority changed from Low to Normal
We are now EV validated with StartSSL, so it's time to think about creating the proper code signing certificate
We probably have "one shot", otherwise have to revoke for a fee, so that should be well handled
I can only help out with S/MIME certificates, where I usually use something like
openssl req -sha512 -new -newkey rsa:4096 -keyout site.pem -out site.csr -passout pass:12345 -subj "/C=$(echo $GEOLOCATION | tr '[:lower:]' '[:upper:]')/ST=NA/L=NA/O=NA/OU=NA/CN=$FQDN/emailAddress=$ROOTRECIPIENT"
whereas StartSSL might only support SHA256. I need a CSR to file with StartSSL
Updated by Florian Effenberger about 9 years ago
Additional note from https://www.startssl.com/?app=30
"First EV certificate is included, every additional EV certificate only US$ 49.90. "
Updated by Florian Effenberger about 9 years ago
- Due date set to 2015-03-15
- Priority changed from Normal to High
Raising priority and assigning due date
Updated by Florian Effenberger about 9 years ago
- Due date changed from 2015-03-15 to 2015-05-04
In time for beta is sufficient, Cloph stated
Updated by Florian Effenberger almost 9 years ago
Did the new certificate I sent you work out?
If so, let's arrange for a safe way to also give me access to the private key, so I can store it safely somewhere (preferably offline)
Maybe during our Essen meeting?
Updated by Florian Effenberger almost 9 years ago
- Status changed from In Progress to Closed