Update NVDA's Authenticode code signing certificate

[michaelDCurran]

Link to issue number:

None.

Summary of the issue:

NVDA requires being signed with a trusted Authenticode code-signing certificate, so that it can access certain accessibility features on Windows such as UIAccess.
The current Authenticode certificate expires in July 2021.

Description of how this pull request fixes the issue:

NV access has purchased a new Authenticode certificate which expires in August 2024.
Due to updated Authenticode policies, this certificate uses a 3072 bit RSA, rather than 2048 bit.
This certificate has been securely encrypted by a secret (itself encrypted via our AppVeyor key). The encoded certificate replaces the older 2018 encoded certificate in this Git repository.
The encryption of the certificate is also significantly stronger
as it uses SHA256 instead of md5, a salt is now used, and a newer secret key derivation algorithm is now used, as recommended by openssl when decrypting the certificate in the past.
A more secure time stamping server is used, again upgraded to SHA256.

Testing strategy:

On Windows 10:

• Built NVDA locally. Installed and run. Ensured that NVDA could access another app running as administrator.
• Built NVDA on appVeyor as a try build. Installed and run. Ensured that NVDA could access another app running as administrator.

Known issues with pull request:

• The try build requires testing on Windows 8.1 and Windows 7. As the certificate has a 3072 bit RSA (per new regulations) I'm not quite sure how well this will go in Windows 7, as new intermediate and root certificates may be required...
• Currently on Windows 10 I need to disable Reputation-based protection in Windows Security Settings, as this is a new certificate and I'm the only person who has downloaded the file so far, thus Windows is hard-blocking it.

Change log entries:

New features
Changes
Bug fixes
For Developers

Code Review Checklist:

• Pull Request description is up to date.
• Unit tests.
• System (end to end) tests.
• Manual tests.
• User Documentation.
• Change log entry.
• Context sensitive help for GUI changes.

[lukaszgo1]

Enable -> Unable

[feerrenrut]

Looks good to me, just fix the enable / unable typo.

[lukaszgo1]

@michaelDCurran I've tested this try build on a fresh Win 7 SP1 vm which has never been connected to the network and this build works correctly i.e can be installed and NVDA can access applications running as admin. I've also tested on Windows 8 and programs running with admin privileges are accessible as well.

[feerrenrut]

Thanks for testing @lukaszgo1. Looks like we should hold off on this until these issues are resolved.

Bugs found running on Windows 8, looks like further changes will be required.

[LeonarddeR]

this build crashes for me when it tries to exit after successful installation whereas latest Alpha does not.

I also experienced a hard crash of NVDA after an update lately. I wonder whether the exit logic changes could be the cause of the issues you describe, rather than the certificate. Honestly I don't see how a certificate change can cause this kind of changes.

[michaelDCurran]

I tend to agree with Leonard here re the crash very likely being not related. However, I will delay merging this to master until after first beta of NVDA 2021.1 comes out, as there is no need for the certificate to be in the release, as long as it is made before July 26.

[AppVeyorBot]

• System test failure
• Build (for testing PR)

See test results for failed build of commit 228bdbf2ad

[feerrenrut]

certificate to be in the release, as long as it is made before July 26.

Will the signed release continue to be valid after July 26?

[michaelDCurran]

Yes. As we timestamp when signing, the certificate is then valid for ever.

[LeonarddeR]

In that case, I think it makes sense to have a merge asap.