releases: Update with new Windows code signing certificate #18425

achow101 commented at 8:59 PM on March 24, 2020: member

The current Windows code signing certificate is about expire (on March 26th 2020). As I have volunteered to take over the Windows code signing duties, I've purchased a new Windows code signing certificate with the same CA and under the same organization (Bitcoin Core Code Signing Association).

A signature by the old certificate over the new certificate has been provided to me. This signature can be verified using

openssl cms -verify -inform pem -purpose any -content path/to/new/win-codesign.cert -CAfile path/to/old/win-codesign.cert -certfile path/to/old/win-codesign.cert

The verification should succeed and the new certificate will be printed out. This can be compared to the contents of win-codesign.cert.

Update with new Windows code signing certificate 3e0df92bf2

achow101 commented at 9:00 PM on March 24, 2020: member

If we plan on doing any further 0.19 releases, this will need to be backported to 0.19.

theuni approved

theuni commented at 9:04 PM on March 24, 2020: member

ACK 3e0df92bf216e1dce05ca9bf14049f2e42783c30.

Verified that the signature is good :p

Thanks for volunteering!

fanquake added the label Windows on Mar 24, 2020

laanwj added the label Needs backport (0.19) on Mar 25, 2020

laanwj added this to the milestone 0.20.0 on Mar 25, 2020

laanwj commented at 4:04 PM on March 25, 2020: member

ACK 3e0df92bf216e1dce05ca9bf14049f2e42783c30

I have successfully verified the signature;

$ git show 3e50fdbe4e5bb98194e88023468bd77dee78b26e:contrib/windeploy/win-codesign.cert > /tmp/old-win-codesign.cert
$ git show 3e0df92bf216e1dce05ca9bf14049f2e42783c30:contrib/windeploy/win-codesign.cert > /tmp/new-win-codesign.cert
$ openssl cms -verify -inform pem -purpose any -content /tmp/new-win-codesign.cert -CAfile /tmp/old-win-codesign.cert -certfile /tmp/old-win-codesign.cert > /tmp/cert1
-----BEGIN PKCS7-----
MIIC3AYJKoZIhvcNAQcCoIICzTCCAskCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwExggKkMIICoAIBATCBkTB8MQswCQYDVQQGEwJHQjEbMBkGA1UECBMS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9T
ZWN0aWdvIExpbWl0ZWQxJDAiBgNVBAMTG1NlY3RpZ28gUlNBIENvZGUgU2lnbmlu
ZyBDQQIRALWcUnSOxv9FQW3xdaMDO6swDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZI
hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAwMzI0MjA0ODM3
WjAvBgkqhkiG9w0BCQQxIgQgtLkmnuSQyczDlJSnJeqbi61p3iJ/rpFABrY8JWBO
o74weQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEA
XaCl3Q8HwI9VpLCb9OY9eQh0QOPyl1KWEc3TP3UvwZwR4/gXkfPOKKf19UnS8eRB
48SgUKRMYWoDYfSVUJRMda9BLkbJbQlHG3LFXhSY2alajpPXEHcMto/XPhVAmqzL
w6aSNY0Gaorow696JHpetpKqAAlL1r2GjeaPYi2aZyIAifuhay/qwA+ig0SqzGOw
UdgFZWMyS5yanq8/WlLCCql6kKOzT4tEqUaleD7R1q8BTcG2+fmhWR8WwJLpIV6y
7GAqt0Cocu8sYpTNBNk8iKHxzZ2hMZKJpH9lHZuiJ/9vSercrvDy2R4/MG+KnBWb
OyiFAt2mC51+63RhLOMJfg==
-----END PKCS7-----
Verification successful
$ dos2unix /tmp/cert1
$ diff -s /tmp/cert1  /tmp/new-win-codesign.cert
Files /tmp/cert1 and /tmp/new-win-codesign.cert are identical

laanwj merged this on Mar 25, 2020

laanwj closed this on Mar 25, 2020

fanquake referenced this in commit 0d0dd6ae96 on May 20, 2020

fanquake removed the label Needs backport (0.19) on May 20, 2020

MarcoFalke referenced this in commit 28a9df7d76 on Aug 11, 2020

DrahtBot locked this on Feb 15, 2022