Update Windows code signing certificate #22017

pull achow101 wants to merge 1 commits into bitcoin:master from achow101:2021-win-codesign-cert changing 1 files +83 −94
  1. achow101 commented at 4:47 PM on May 21, 2021: member

    Updates the Windows code signing certificate to a new one issued by Digicert. This certificate has been issued to Bitcoin Core Code Signing LLC registered in Delaware, US. Note that this is different from the previous Bitcoin Core Code Signing Association registered in Zurich, Switzerland as it was unable to meet the validation requirements in time.

  2. Update Windows code signing certificate 167fb1fc72
  3. achow101 commented at 4:50 PM on May 21, 2021: member

    Needs backport to 0.21, 0.20, and 0.19.

    Once this is merged into the previous branches, we should make 0.21.1.1, 0.21.0.1, 0.20.1.1, 0.20.0.1, and 0.19.2.1 releases as these are either unsigned or signed with the previous key which was revoked.

  4. Sjors commented at 4:51 PM on May 21, 2021: member

    Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

    These 0.*.*.1 releases would be windows-only? What is the point of v0.20.0.1? It seems better to just release v0.20.2 since the 0.20 branch has plenty of improvements since v0.20.1.

  5. DrahtBot added the label Scripts and tools on May 21, 2021
  6. achow101 commented at 5:19 PM on May 21, 2021: member

    Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

    There is no timeline. We're still waiting for the registration with the government to go through, but there's not ETA on when that will be. Then we'd have to wait a few more days for Digicert to issue the certificate.

    These 0.*.*.1 releases would be windows-only?

    Yes, Windows only.

    What is the point of v0.20.0.1? It seems better to just release v0.20.2 since the 0.20 branch has plenty of improvements since v0.20.1.

    The idea was that each release we have done previously which used the revoked cert should be re-released so that if people wanted to use them (and not a future minor release on the branch) they could. But perhaps that is not something we want to do.

  7. Sjors commented at 7:20 PM on May 21, 2021: member

    But perhaps that is not something we want to do.

    That seems a bit overkill.

  8. MarcoFalke added the label Needs backport (0.19) on May 22, 2021
  9. MarcoFalke added the label Needs backport (0.20) on May 22, 2021
  10. MarcoFalke added the label Needs backport (0.21) on May 22, 2021
  11. MarcoFalke referenced this in commit 3555a5e332 on May 22, 2021
  12. MarcoFalke commented at 8:02 AM on May 22, 2021: member

    Backported in #22022 (assuming the commit with that hash is merged into master)

  13. MarcoFalke removed the label Needs backport (0.21) on May 22, 2021
  14. fanquake deleted a comment on May 22, 2021
  15. MarcoFalke referenced this in commit 09620b89f5 on May 22, 2021
  16. Sjors commented at 11:56 AM on May 22, 2021: member

    utACK 167fb1f

    I imported it in the macOS keychain manager and certificate looks sane to me: <img width="531" alt="Schermafbeelding 2021-05-22 om 13 54 40" src="https://user-images.githubusercontent.com/10217/119225660-51690600-bb05-11eb-9695-95fdcfc42283.png">

    I guess the way to test this is with the GUIX build in #21239 or the upcoming Gitians builds.

    This one year expiration is not an issue, as long as it's not revoked?

  17. achow101 commented at 5:28 PM on May 25, 2021: member

    This one year expiration is not an issue, as long as it's not revoked?

    Yes. CAs now only issue 1 year certs.

  18. jonasschnelli commented at 7:15 PM on May 27, 2021: contributor

    Is there a timeline on the Zurich alternative? We've been unable to sign Windows releases for a while, so unless it's a matter of days, I'm concept ACK on just going ahead with this.

    It's hard to give an estimation right now. We are waiting for all the paperwork to complete and the stamp from the government so it will be listed in the official registers. Once there, we hopefully can get code signing certificates again.

  19. laanwj commented at 7:51 PM on May 27, 2021: member

    ACK 167fb1fc72e309587a8ef1d7844cb51a5483f54f We can always switch the cert again if there's a different one we want to use.

  20. laanwj merged this on May 27, 2021
  21. laanwj closed this on May 27, 2021
  22. laanwj referenced this in commit 55631547ea on May 27, 2021
  23. laanwj referenced this in commit 461b9b11b2 on May 27, 2021
  25. fanquake removed the label Needs backport (0.19) on May 31, 2021
  26. fanquake removed the label Needs backport (0.20) on May 31, 2021
  27. gwillen referenced this in commit 352ae654d7 on Jun 1, 2022
  28. DrahtBot locked this on Aug 18, 2022
Contributors
achow101SjorsMarcoFalkejonasschnellilaanwjfanquake
Labels
Scripts and tools
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-19 00:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me