New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update NVDA's Authenticode code signing certificate #12398
Conversation
This certificate is now valid until August 2024, and is 3072 bit instead of 2048 bit. The certificate as stored in this repository is also now encrypted much stronger, using sha256, pbkdf2 and a salt.
appveyor.yml
Outdated
openssl enc -d -md sha256 -aes-256-cbc -pbkdf2 -salt -pass pass:$env:secure_authenticode_pass -in authenticode.pfx.enc -out authenticode.pfx | ||
if($LastExitCode -ne 0) { | ||
$errorCode=$LastExitCode | ||
Add-AppveyorMessage "Enable to decrypt authenticode certificate" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enable -> Unable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, just fix the enable / unable typo.
@michaelDCurran I've tested this try build on a fresh Win 7 SP1 vm which has never been connected to the network and this build works correctly i.e can be installed and NVDA can access applications running as admin. I've also tested on Windows 8 and programs running with admin privileges are accessible as well. |
Thanks for testing @lukaszgo1. Looks like we should hold off on this until these issues are resolved. |
Bugs found running on Windows 8, looks like further changes will be required.
I also experienced a hard crash of NVDA after an update lately. I wonder whether the exit logic changes could be the cause of the issues you describe, rather than the certificate. Honestly I don't see how a certificate change can cause this kind of changes. |
I tend to agree with Leonard here re the crash very likely being not related. However, I will delay merging this to master until after first beta of NVDA 2021.1 comes out, as there is no need for the certificate to be in the release, as long as it is made before July 26. |
See test results for failed build of commit 228bdbf2ad |
Will the signed release continue to be valid after July 26? |
Yes. As we timestamp when signing, the certificate is then valid for ever.
|
This comment has been minimized.
This comment has been minimized.
In that case, I think it makes sense to have a merge asap. |
Link to issue number:
None.
Summary of the issue:
NVDA requires being signed with a trusted Authenticode code-signing certificate, so that it can access certain accessibility features on Windows such as UIAccess.
The current Authenticode certificate expires in July 2021.
Description of how this pull request fixes the issue:
NV access has purchased a new Authenticode certificate which expires in August 2024.
Due to updated Authenticode policies, this certificate uses a 3072 bit RSA, rather than 2048 bit.
This certificate has been securely encrypted by a secret (itself encrypted via our AppVeyor key). The encoded certificate replaces the older 2018 encoded certificate in this Git repository.
The encryption of the certificate is also significantly stronger
as it uses SHA256 instead of md5, a salt is now used, and a newer secret key derivation algorithm is now used, as recommended by openssl when decrypting the certificate in the past.
A more secure time stamping server is used, again upgraded to SHA256.
Testing strategy:
On Windows 10:
Known issues with pull request:
Change log entries:
New features
Changes
Bug fixes
For Developers
Code Review Checklist: