Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Windows code signing certificate #22017

Merged
merged 1 commit into from
May 27, 2021
Merged

Update Windows code signing certificate #22017

merged 1 commit into from
May 27, 2021

Conversation

achow101
Copy link
Member

Updates the Windows code signing certificate to a new one issued by Digicert. This certificate has been issued to Bitcoin Core Code Signing LLC registered in Delaware, US. Note that this is different from the previous Bitcoin Core Code Signing Association registered in Zurich, Switzerland as it was unable to meet the validation requirements in time.

@achow101
Copy link
Member Author

Needs backport to 0.21, 0.20, and 0.19.

Once this is merged into the previous branches, we should make 0.21.1.1, 0.21.0.1, 0.20.1.1, 0.20.0.1, and 0.19.2.1 releases as these are either unsigned or signed with the previous key which was revoked.

@Sjors
Copy link
Member

Sjors commented May 21, 2021
edited
Loading

Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

These 0.*.*.1 releases would be windows-only? What is the point of v0.20.0.1? It seems better to just release v0.20.2 since the 0.20 branch has plenty of improvements since v0.20.1.

@achow101
Copy link
Member Author

Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

There is no timeline. We're still waiting for the registration with the government to go through, but there's not ETA on when that will be. Then we'd have to wait a few more days for Digicert to issue the certificate.

These 0.*.*.1 releases would be windows-only?

Yes, Windows only.

What is the point of v0.20.0.1? It seems better to just release v0.20.2 since the 0.20 branch has plenty of improvements since v0.20.1.

The idea was that each release we have done previously which used the revoked cert should be re-released so that if people wanted to use them (and not a future minor release on the branch) they could. But perhaps that is not something we want to do.

@Sjors
Copy link
Member

Sjors commented May 21, 2021

But perhaps that is not something we want to do.

That seems a bit overkill.

maflcko pushed a commit to maflcko/bitcoin-core that referenced this pull request May 22, 2021
@achow101
Update Windows code signing certificate
3555a5e 
Github-Pull: bitcoin#22017
Rebased-From: 167fb1f
@maflcko
Copy link
Member

maflcko commented May 22, 2021

Backported in #22022 (assuming the commit with that hash is merged into master)

@bitcoin bitcoin deleted a comment from gremen1918 May 22, 2021
maflcko pushed a commit to maflcko/bitcoin-core that referenced this pull request May 22, 2021
@achow101
Update Windows code signing certificate
09620b8 
Github-Pull: bitcoin#22017
Rebased-From: 167fb1f
@Sjors
Copy link
Member

Sjors commented May 22, 2021
edited
Loading

utACK 167fb1f

I imported it in the macOS keychain manager and certificate looks sane to me:
Schermafbeelding 2021-05-22 om 13 54 40

I guess the way to test this is with the GUIX build in #21239 or the upcoming Gitians builds.

This one year expiration is not an issue, as long as it's not revoked?

@achow101
Copy link
Member Author

This one year expiration is not an issue, as long as it's not revoked?

Yes. CAs now only issue 1 year certs.

@jonasschnelli
Copy link
Contributor

Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

It's hard to give an estimation right now. We are waiting for all the paperwork to complete and the stamp from the government so it will be listed in the official registers. Once there, we hopefully can get code signing certificates again.

@laanwj
Copy link
Member

laanwj commented May 27, 2021

ACK 167fb1f
We can always switch the cert again if there's a different one we want to use.

@laanwj laanwj merged commit 2e8f392 into bitcoin:master May 27, 2021
laanwj pushed a commit that referenced this pull request May 27, 2021
@achow101 @laanwj
Update Windows code signing certificate
5563154 
Github-Pull: #22017
Rebased-From: 167fb1f
Tree-SHA512: 03012adf45c14325a687cb75dcdcfa41ff570c2a02c31cd82e15e4ef21f1b5a0388b8bae31d50bd761c7fb1e3721b623c34142f6a486b46be6c152c35e01aa3f
laanwj pushed a commit that referenced this pull request May 27, 2021
@achow101 @laanwj
Update Windows code signing certificate
461b9b1 
Github-Pull: #22017
Rebased-From: 167fb1f
Tree-SHA512: adceda1ab930eb093ed1b4d0544b43f1a1469db8245e84ae47b26c55bab54c9612a9d9916fcd647ba79691e0faf4e79567b4c0d25804fd684169e52d73412755
@fanquake
Copy link
Member

The backport of this change was done for 0.20 in 5563154 and 0.19 in 461b9b1.

@hebasto hebasto mentioned this pull request Aug 4, 2021
Closed
@hebasto hebasto mentioned this pull request Mar 13, 2022
Closed
5 tasks
gwillen pushed a commit to ElementsProject/elements that referenced this pull request Jun 1, 2022
@apoelstra
Merge 2e8f392 into merged_master (Bitcoin PR bitcoin/bitcoin#22017)
352ae65
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
Scripts and tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@achow101 @Sjors @maflcko @jonasschnelli @laanwj @fanquake @DrahtBot