Just a heads-up, primarily for Marc-Andre, but letting everyone know for awareness.

Next time we need to renew the PSF code signing certificate used for Windows releases, we will need to use a different CA.

Our current certificate is from StartCom, who are losing their status as a trusted CA on Windows, which means any of their certificates issued after the 26th of September this year will be treated as invalid:


The certificate we have right now is valid through February 2019, so there's no urgency to change (unless we want to avoid the risk of "accidental certificate revocation", which is one of the reasons Microsoft has lost trust in StartCom). Because the revocation of the root CA has a start date, all of our current releases and future releases with the current certificate will be fine.

Since this will likely harm StartCom's business, it's very likely that they will get their act together and by the time we come to renew they'll be acceptable again. But we probably do want to be planning ahead to switch CA regardless.

And for our macOS and Linux friends who may be uncertain what I'm referring to: this is the certificate embedded in the installer and every executable binary in our Windows distributions. It has nothing to do with GPG or the signature files you can download from python.org (these are still associated with my personal and completely unverified key, which is fine since nobody on Windows actually cares about GPG :) ).

Python-Dev mailing list

Reply via email to