On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster
wrote:
On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
Windows is showing SmartScreen warnings when trying to run
the Windows installer. Also, the installed version reports as
v2.100.2-dirty.
The next few releases are unsigned as those with the keys
cannot be contacted (or, that's from what I've heard.)
Code signing certs have been expired for nearly two years now,
and are no longer functional. It is not yet decided what this
should be replaced with, granted that buying a cert now is both
eye-wateringly more expensive compared to 2016, and appears to
force you to have some form of 2FA - be it hardware token or
cloud signing platform.
Last time I had to do this:
Basically you have Certum.pl which provides cloud-signing, this
company responds quickly, getting a individual OV certificate
takes about 2-3 days.
"cloud" signing with needs a phone token, a phone app SimplySign,
that last 15 minutes or so.
On the other hand, .p12/.pfx vendors are almost entirely
COMODO/Sectigo now, it works offline, getting a certificate is
more painful with them and will require a hardware token even for
OV beginning this month.
0. It's less hassle not to do anything, but well we could have a
supply-chain attack one day.
1. If cloud/simplysign workflow is OK, Certum may be less hassle.
2. Possibly safer / less problems in build to just get the EV
from Sectigo in a hardware token. Especially if you commit the
secret in CI.
Since November signing will require hardware token or private key
in cloud (2FA).