On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat
wrote:
On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster
wrote:
On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
Windows is showing SmartScreen warnings when trying to run
the Windows installer. Also, the installed version reports
as v2.100.2-dirty.
The next few releases are unsigned as those with the keys
cannot be contacted (or, that's from what I've heard.)
Code signing certs have been expired for nearly two years now,
and are no longer functional. It is not yet decided what this
should be replaced with, granted that buying a cert now is
both eye-wateringly more expensive compared to 2016, and
appears to force you to have some form of 2FA - be it hardware
token or cloud signing platform.
Last time I had to do this:
Basically you have Certum.pl which provides cloud-signing, this
company responds quickly, getting a individual OV certificate
takes about 2-3 days.
"cloud" signing with needs a phone token, a phone app
SimplySign, that last 15 minutes or so.
If this can be distributed between a group of people - let's say
six or more - that might be OK, but not exactly as seamless as,
say, just trigger a GitHub runner pipeline an walk away.
On the other hand, .p12/.pfx vendors are almost entirely
COMODO/Sectigo now, it works offline, getting a certificate is
more painful with them and will require a hardware token even
for OV beginning this month.
0. It's less hassle not to do anything, but well we could have
a supply-chain attack one day.
1. If cloud/simplysign workflow is OK, Certum may be less
hassle.
2. Possibly safer / less problems in build to just get the EV
from Sectigo in a hardware token. Especially if you commit the
secret in CI.
Since November signing will require hardware token or private
key in cloud (2FA).
What does in a hardware token mean for us? Is it required to have
it to hand every time we have to sign a beta, rc, final release
binary? Does it bound us to a specific OS because of locked in
proprietary tools? In what way would it hamper the ability to
sign built binaries on a virtual machine, in a remote server,
behind a read-only console UI?
