windeploy: Renewed windows code signing certificate

achow101 commented at 5:19 pm on May 24, 2022: member

The current windows code signing certificate expires on May 26 23:59:59 2022 GMT. I have purchased a new code signing certificate which will expire on May 29 23:59:59 2024 GMT.

windeploy: Renewed windows code signing certificate 7e9fe6d800

DrahtBot added the label Scripts and tools on May 24, 2022

laanwj added the label Needs backport (22.x) on May 24, 2022

laanwj added the label Needs backport (23.x) on May 24, 2022

laanwj commented at 6:25 pm on May 24, 2022: member

Concept ACK, thanks for updating the cert.

laanwj commented at 1:43 pm on May 26, 2022: member

This is the data inside the certificates file, dumped with:

0$ csplit contrib/windeploy/win-codesign.cert '/-----BEGIN CERTIFICATE-----/' '{*}'
1$ openssl x509 -in xx01 -text 
2$ openssl x509 -in xx02 -text 
3$ openssl x509 -in xx03 -text

  0Certificate:
  1    Data:
  2        Version: 3 (0x2)
  3        Serial Number:
  4            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
  5        Signature Algorithm: sha256WithRSAEncryption
  6        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
  7        Validity
  8            Not Before: May 24 00:00:00 2022 GMT
  9            Not After : May 29 23:59:59 2024 GMT
 10        Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
 11        Subject Public Key Info:
 12            Public Key Algorithm: rsaEncryption
 13                Public-Key: (4096 bit)
 14                Modulus:
 15                    00:b7:b0:c5:f8:f3:b6:e4:53:0c:d0:06:7f:bc:e4:
 16                    aa:a5:8d:12:dd:bc:09:99:95:24:7a:18:96:d5:51:
 17                    c6:d1:35:04:fe:39:05:f9:a9:b4:7e:5e:33:52:42:
 18                    fd:7a:2c:4c:fc:ad:1d:11:5e:3a:43:b8:61:50:2d:
 19                    88:42:f1:2b:d4:bf:f3:63:99:94:a0:3b:33:1e:cf:
 20                    5b:ab:ef:d7:5f:38:bb:cf:a6:3f:75:a9:4c:df:ca:
 21                    01:94:da:5b:d7:c1:d0:42:d3:48:2b:aa:b2:f5:ea:
 22                    d9:ca:cc:d9:3e:cd:b9:d2:67:4b:25:a1:d9:50:63:
 23                    2d:f3:cf:08:07:18:c3:3c:86:29:06:e5:8d:05:a3:
 24                    14:42:43:25:61:4a:f3:7b:7d:98:af:ef:d1:64:20:
 25                    03:78:c6:25:e6:b3:f9:5e:82:61:73:12:ed:48:29:
 26                    74:6f:1d:52:18:3d:a3:ad:e0:60:96:40:5b:9a:58:
 27                    44:8b:0d:45:c2:42:33:92:c7:87:01:0c:5b:9d:f6:
 28                    f5:4b:13:99:80:9f:3f:bf:f9:dd:e9:9e:a5:b4:34:
 29                    9f:c8:a3:55:98:e0:68:9f:8b:67:c3:6c:a4:12:d2:
 30                    78:28:85:f5:43:c2:29:7f:36:b9:68:90:01:44:db:
 31                    60:70:9f:4a:2d:c8:d1:fd:f0:42:27:57:2f:d6:58:
 32                    f8:f5:e6:6a:53:3b:04:cb:90:f9:cd:b1:11:c9:7d:
 33                    ec:29:e1:ac:3c:f1:10:1c:19:be:f3:82:f7:01:a8:
 34                    1b:ef:3e:7a:95:78:4e:35:19:59:ff:bb:40:dd:59:
 35                    61:e8:35:ad:a8:bb:73:b7:3c:bb:d2:0b:a2:01:3c:
 36                    b2:ed:b1:56:8c:f7:df:74:c7:08:3b:d2:70:88:27:
 37                    41:79:a4:f9:c6:ca:30:1b:60:f6:43:34:17:e6:8b:
 38                    5a:c3:76:c5:57:f4:b8:08:f7:53:bb:1d:5c:ba:df:
 39                    25:e5:b4:0d:92:24:b5:6b:53:05:0c:d7:3b:f3:84:
 40                    e0:a6:be:d5:61:67:0e:0d:07:24:88:a1:d1:c4:e3:
 41                    97:d6:18:bd:f7:b9:dc:be:29:08:6c:be:a8:6b:7f:
 42                    5c:60:51:a8:23:1f:5e:9d:e0:f8:7f:45:19:1e:6b:
 43                    a5:e9:ec:55:57:2c:ae:fd:c6:6d:37:d8:76:5a:5d:
 44                    9a:9f:4e:1c:7e:46:e7:b1:93:01:9b:9e:a1:b0:99:
 45                    83:ba:fb:44:a2:b4:cc:f5:3d:12:24:cb:27:1c:f2:
 46                    5e:e6:a2:bf:f2:ac:77:c7:88:84:74:63:7b:03:1a:
 47                    42:e0:2d:40:cd:6d:3b:ea:0a:01:b2:c5:d2:fd:8c:
 48                    ee:fe:ff:69:54:fb:e9:7d:f6:26:59:58:02:2c:e6:
 49                    df:38:ef
 50                Exponent: 65537 (0x10001)
 51        X509v3 extensions:
 52            X509v3 Authority Key Identifier: 
 53                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
 54            X509v3 Subject Key Identifier: 
 55                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
 56            X509v3 Key Usage: critical
 57                Digital Signature
 58            X509v3 Extended Key Usage: 
 59                Code Signing
 60            X509v3 CRL Distribution Points: 
 61                Full Name:
 62                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
 63                Full Name:
 64                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
 65            X509v3 Certificate Policies: 
 66                Policy: 2.23.140.1.4.1
 67                  CPS: http://www.digicert.com/CPS
 68            Authority Information Access: 
 69                OCSP - URI:http://ocsp.digicert.com
 70                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
 71            X509v3 Basic Constraints: critical
 72                CA:FALSE
 73    Signature Algorithm: sha256WithRSAEncryption
 74    Signature Value:
 75        18:69:4d:9b:9f:47:0b:35:be:bb:48:d3:10:75:fd:45:ab:48:
 76        42:71:74:f1:e2:bd:fa:57:13:bd:3c:77:3b:a6:26:1d:d3:17:
 77        3a:6c:11:40:90:5f:90:49:25:eb:75:97:bc:7d:da:c2:8d:78:
 78        02:fb:be:8b:40:fb:c3:bc:62:f3:03:eb:82:a2:9b:b5:4a:03:
 79        60:41:f0:03:87:29:06:e9:af:57:36:89:90:70:c2:87:c8:9e:
 80        f8:91:62:fb:2b:bd:0b:5a:e8:a0:72:d8:a3:9e:d4:bf:e5:d0:
 81        a9:e9:51:ac:cb:f5:3b:f8:54:ab:ee:58:0c:3f:41:cd:3f:79:
 82        34:2b:35:94:6c:98:00:ce:47:19:d9:d6:a5:be:4a:91:7e:fd:
 83        66:da:cc:86:23:a1:df:ce:a9:bd:54:de:89:fe:3f:3c:a2:18:
 84        3d:d2:8f:33:61:b1:d1:51:a6:da:b3:ac:86:98:51:55:7e:d9:
 85        71:c6:e1:f3:7a:03:cc:24:c9:02:f9:34:85:57:1a:22:bb:ae:
 86        a4:b9:56:b4:40:bf:9f:0b:7f:56:59:4e:08:5d:00:bf:b9:4b:
 87        24:84:d0:eb:11:f6:dd:0a:5b:bd:d9:07:da:71:6e:e6:59:e9:
 88        97:f1:8e:8b:63:c3:e2:22:94:21:26:dc:00:db:73:b1:1b:da:
 89        28:c8:e3:1f:26:8b:1d:17:58:c5:2b:84:bd:f8:b3:bf:e3:47:
 90        20:e2:3f:ed:f4:69:28:23:5a:9e:b5:d6:da:7f:11:84:56:e6:
 91        4a:48:68:54:7c:01:eb:03:74:cd:03:49:20:82:45:73:8c:c1:
 92        01:b6:4e:ad:be:0a:7a:88:b4:1e:68:2c:d3:e9:d9:7c:92:c2:
 93        52:16:be:68:db:ce:c4:44:7c:8a:44:df:28:77:6f:19:87:63:
 94        eb:c5:21:cd:91:d2:73:64:6d:63:48:4f:a0:06:b5:a1:10:ee:
 95        85:a4:82:92:bc:60:c9:00:40:27:f8:11:40:b8:41:ae:ea:1e:
 96        21:fa:61:29:98:26:18:c0:a4:12:c2:ed:40:f0:7a:f8:30:c6:
 97        e0:eb:c2:29:96:02:3f:ad:0e:4c:dd:9c:43:4c:70:1a:78:48:
 98        0c:ba:2f:05:2e:0e:2d:88:53:a1:d1:49:75:9d:87:66:04:90:
 99        36:dc:dc:57:70:92:79:e7:11:66:81:e1:d9:51:2f:ce:58:8c:
100        7c:8b:5c:dd:0a:88:4e:d2:29:38:f5:2d:f4:78:74:67:83:a9:
101        55:25:0e:3f:43:e7:e5:f8:6b:b1:7c:f7:02:cf:fe:e9:b8:d3:
102        fe:76:1d:44:2f:e6:de:56:70:da:ff:e3:ba:fd:69:59:31:f4:
103        31:ec:d5:bf:28:52:72:e0

  0Certificate:
  1    Data:
  2        Version: 3 (0x2)
  3        Serial Number:
  4            08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
  5        Signature Algorithm: sha384WithRSAEncryption
  6        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
  7        Validity
  8            Not Before: Apr 29 00:00:00 2021 GMT
  9            Not After : Apr 28 23:59:59 2036 GMT
 10        Subject: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
 11        Subject Public Key Info:
 12            Public Key Algorithm: rsaEncryption
 13                Public-Key: (4096 bit)
 14                Modulus:
 15                    00:d5:b4:2f:42:d0:28:ad:78:b7:5d:d5:39:59:1b:
 16                    b1:88:42:f5:33:8c:eb:3d:81:97:70:c5:bb:c4:85:
 17                    26:30:9f:a4:8e:68:d8:5c:f5:eb:34:24:07:e1:4b:
 18                    4f:d3:78:43:f4:17:d7:1e:da:f9:d2:d5:67:1a:52:
 19                    4f:0e:a1:57:fc:88:99:c1:91:cc:81:03:3e:4d:70:
 20                    24:64:b3:8d:e2:08:7d:34:7d:4c:80:57:12:6b:43:
 21                    9a:99:f2:c5:3b:1f:f2:ef:cb:47:5a:13:a6:4c:b3:
 22                    01:20:25:f3:10:d3:8b:b2:fb:08:f0:8a:e0:9d:09:
 23                    c0:65:a7:fa:98:80:49:35:87:3d:51:19:e8:90:21:
 24                    78:45:2e:a1:9f:2c:e1:18:c2:1a:cc:c5:ee:93:49:
 25                    70:42:32:8f:fb:c6:ea:1c:f3:65:68:91:a2:4d:4c:
 26                    82:11:48:52:68:de:10:bd:14:57:5d:e8:18:13:65:
 27                    c5:7f:b2:4f:85:2c:48:a4:56:84:35:d6:f9:2e:9c:
 28                    aa:00:15:d1:37:fe:1a:06:94:c2:7c:c8:ea:1b:32:
 29                    e6:ca:c2:f4:a7:a3:03:0e:74:a5:af:39:b6:ab:60:
 30                    12:e3:e8:d6:b9:f7:31:e1:dc:ad:e4:18:a0:d8:c1:
 31                    23:47:47:b3:a1:0f:6e:a3:ab:6d:98:06:83:1b:b7:
 32                    6a:67:2d:d2:bd:44:1a:92:10:81:8f:b0:3b:09:d7:
 33                    c7:9b:32:5a:c2:ff:6a:60:54:8b:49:c1:93:ed:e1:
 34                    b4:5c:e0:6f:eb:26:f9:8c:d5:b2:f9:38:10:e6:ea:
 35                    ce:91:f5:be:d3:fb:6f:93:61:34:5c:bc:93:45:28:
 36                    83:36:2a:66:28:5f:b0:73:ce:8b:26:25:06:b2:83:
 37                    d4:5c:f6:15:19:4c:ed:62:e0:5e:33:f2:e8:e8:ec:
 38                    0a:a7:b0:03:2b:91:b2:36:79:be:f7:ad:08:1e:75:
 39                    a6:65:cc:bb:e3:48:50:f3:77:91:1a:fe:db:50:a2:
 40                    46:c8:61:58:98:f5:7c:02:16:3c:83:28:ad:39:86:
 41                    ec:d4:b7:0d:53:d0:f8:47:e6:75:30:8d:ec:30:93:
 42                    76:14:a6:5b:4b:5d:74:61:4d:3f:12:91:76:de:bf:
 43                    58:cb:72:10:29:41:f0:d5:c5:6d:26:76:68:11:41:
 44                    13:58:9a:dc:26:2b:01:f4:89:4d:59:db:78:cf:81:
 45                    4a:3e:40:47:5f:c9:81:50:73:85:10:23:21:59:60:
 46                    8a:64:54:c1:cc:21:1a:e8:38:19:7c:66:1c:cd:78:
 47                    38:45:30:99:4f:ff:63:4f:4c:bb:aa:0d:08:53:41:
 48                    7c:58:3d:47:b3:fa:b6:ec:8c:32:09:02:cc:6c:3c:
 49                    0c:56:11
 50                Exponent: 65537 (0x10001)
 51        X509v3 extensions:
 52            X509v3 Basic Constraints: critical
 53                CA:TRUE, pathlen:0
 54            X509v3 Subject Key Identifier: 
 55                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
 56            X509v3 Authority Key Identifier: 
 57                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
 58            X509v3 Key Usage: critical
 59                Digital Signature, Certificate Sign, CRL Sign
 60            X509v3 Extended Key Usage: 
 61                Code Signing
 62            Authority Information Access: 
 63                OCSP - URI:http://ocsp.digicert.com
 64                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
 65            X509v3 CRL Distribution Points: 
 66                Full Name:
 67                  URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl
 68            X509v3 Certificate Policies: 
 69                Policy: 2.23.140.1.3
 70                Policy: 2.23.140.1.4.1
 71    Signature Algorithm: sha384WithRSAEncryption
 72    Signature Value:
 73        3a:23:44:3d:8d:08:76:ee:8f:bc:3a:99:d3:56:e0:02:1a:a5:
 74        f8:48:34:f3:2c:b6:e6:74:66:f7:94:72:b1:00:ca:af:6c:30:
 75        27:13:12:9e:90:44:9f:4b:fd:9e:a3:7c:26:d5:37:bc:3a:5d:
 76        48:6d:95:d5:3f:49:f4:27:bb:16:81:45:50:fd:9c:bd:b6:85:
 77        e0:76:7e:37:71:cb:22:f7:5a:aa:90:cf:f5:93:6a:e3:eb:20:
 78        d1:d5:50:79:88:9a:8a:8a:c1:b6:bd:a1:48:18:7e:dc:d8:80:
 79        1a:11:19:18:cd:61:99:81:56:f6:c9:e3:76:e7:c4:e4:1b:5f:
 80        43:f8:3e:94:ff:76:39:3d:9e:d4:99:cf:4a:dd:28:eb:5f:26:
 81        a1:95:58:48:d5:1a:fe:d7:27:3f:fd:90:d1:76:86:dd:1c:b0:
 82        60:5c:f3:0d:a8:ee:e0:89:a1:bd:39:e1:38:4e:da:6e:bb:36:
 83        9d:fb:e5:21:53:5a:c3:ca:e9:6a:f1:a2:3e:db:43:b8:33:c8:
 84        4f:38:14:92:99:f5:dd:ce:54:6d:d9:5d:02:14:1f:40:33:7c:
 85        03:e2:95:b2:c2:21:75:73:52:cb:46:d8:c4:34:1c:a2:a5:4b:
 86        8d:cd:6f:76:37:2c:85:3f:1a:ce:26:e9:18:be:90:07:b0:43:
 87        7f:95:88:20:82:70:f0:cc:ca:ef:fd:29:35:5c:1f:89:38:55:
 88        f7:37:8a:8b:09:a1:cb:0b:e9:31:1a:ff:2e:19:5c:39:71:e1:
 89        be:9c:a7:0a:06:d6:26:67:b7:92:e6:4e:5f:de:7a:ac:49:cf:
 90        2e:a4:74:92:ad:db:3c:a4:9c:86:1f:e3:c1:56:1b:2b:23:ff:
 91        8f:b5:ea:88:7b:70:6b:e6:a0:ba:fd:3a:3f:45:a6:c4:e8:16:
 92        91:52:8b:41:c0:48:84:4b:96:4d:ab:44:40:e3:8d:f0:15:28:
 93        ce:ed:f1:18:56:07:2a:2f:10:c4:0c:08:64:3c:33:8f:ae:28:
 94        8c:3c:cb:8f:88:0b:0d:bf:3b:f4:ce:1e:7b:8e:ef:b5:eb:cb:
 95        b7:f0:77:13:e6:e7:28:3f:ac:12:ae:a5:2f:22:6c:41:f9:82:
 96        5c:15:66:cc:6c:0e:ca:c5:86:c3:f6:26:33:0c:07:4b:a0:d3:
 97        07:02:6a:6a:40:30:48:4b:34:a8:51:20:bb:ad:1b:85:08:e2:
 98        59:0d:6d:ca:05:50:2b:ea:4a:1c:9e:a5:fd:a0:a7:1f:06:74:
 99        e7:f2:d6:52:90:fd:af:85:48:21:f9:57:3b:b4:9c:03:ed:86:
100        45:f4:b4:61:6e:bf:68:e2:26:60:86:ea:c8:af:a9:fe:94:1d:
101        e7:63:1b:3a:86:56:78:4e

 0Certificate:
 1    Data:
 2        Version: 3 (0x2)
 3        Serial Number:
 4            05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
 5        Signature Algorithm: sha384WithRSAEncryption
 6        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
 7        Validity
 8            Not Before: Aug  1 12:00:00 2013 GMT
 9            Not After : Jan 15 12:00:00 2038 GMT
10        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
11        Subject Public Key Info:
12            Public Key Algorithm: rsaEncryption
13                Public-Key: (4096 bit)
14                Modulus:
15                    00:bf:e6:90:73:68:de:bb:e4:5d:4a:3c:30:22:30:
16                    69:33:ec:c2:a7:25:2e:c9:21:3d:f2:8a:d8:59:c2:
17                    e1:29:a7:3d:58:ab:76:9a:cd:ae:7b:1b:84:0d:c4:
18                    30:1f:f3:1b:a4:38:16:eb:56:c6:97:6d:1d:ab:b2:
19                    79:f2:ca:11:d2:e4:5f:d6:05:3c:52:0f:52:1f:c6:
20                    9e:15:a5:7e:be:9f:a9:57:16:59:55:72:af:68:93:
21                    70:c2:b2:ba:75:99:6a:73:32:94:d1:10:44:10:2e:
22                    df:82:f3:07:84:e6:74:3b:6d:71:e2:2d:0c:1b:ee:
23                    20:d5:c9:20:1d:63:29:2d:ce:ec:5e:4e:c8:93:f8:
24                    21:61:9b:34:eb:05:c6:5e:ec:5b:1a:bc:eb:c9:cf:
25                    cd:ac:34:40:5f:b1:7a:66:ee:77:c8:48:a8:66:57:
26                    57:9f:54:58:8e:0c:2b:b7:4f:a7:30:d9:56:ee:ca:
27                    7b:5d:e3:ad:c9:4f:5e:e5:35:e7:31:cb:da:93:5e:
28                    dc:8e:8f:80:da:b6:91:98:40:90:79:c3:78:c7:b6:
29                    b1:c4:b5:6a:18:38:03:10:8d:d8:d4:37:a4:2e:05:
30                    7d:88:f5:82:3e:10:91:70:ab:55:82:41:32:d7:db:
31                    04:73:2a:6e:91:01:7c:21:4c:d4:bc:ae:1b:03:75:
32                    5d:78:66:d9:3a:31:44:9a:33:40:bf:08:d7:5a:49:
33                    a4:c2:e6:a9:a0:67:dd:a4:27:bc:a1:4f:39:b5:11:
34                    58:17:f7:24:5c:46:8f:64:f7:c1:69:88:76:98:76:
35                    3d:59:5d:42:76:87:89:97:69:7a:48:f0:e0:a2:12:
36                    1b:66:9a:74:ca:de:4b:1e:e7:0e:63:ae:e6:d4:ef:
37                    92:92:3a:9e:3d:dc:00:e4:45:25:89:b6:9a:44:19:
38                    2b:7e:c0:94:b4:d2:61:6d:eb:33:d9:c5:df:4b:04:
39                    00:cc:7d:1c:95:c3:8f:f7:21:b2:b2:11:b7:bb:7f:
40                    f2:d5:8c:70:2c:41:60:aa:b1:63:18:44:95:1a:76:
41                    62:7e:f6:80:b0:fb:e8:64:a6:33:d1:89:07:e1:bd:
42                    b7:e6:43:a4:18:b8:a6:77:01:e1:0f:94:0c:21:1d:
43                    b2:54:29:25:89:6c:e5:0e:52:51:47:74:be:26:ac:
44                    b6:41:75:de:7a:ac:5f:8d:3f:c9:bc:d3:41:11:12:
45                    5b:e5:10:50:eb:31:c5:ca:72:16:22:09:df:7c:4c:
46                    75:3f:63:ec:21:5f:c4:20:51:6b:6f:b1:ab:86:8b:
47                    4f:c2:d6:45:5f:9d:20:fc:a1:1e:c5:c0:8f:a2:b1:
48                    7e:0a:26:99:f5:e4:69:2f:98:1d:2d:f5:d9:a9:b2:
49                    1d:e5:1b
50                Exponent: 65537 (0x10001)
51        X509v3 extensions:
52            X509v3 Basic Constraints: critical
53                CA:TRUE
54            X509v3 Key Usage: critical
55                Digital Signature, Certificate Sign, CRL Sign
56            X509v3 Subject Key Identifier: 
57                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
58    Signature Algorithm: sha384WithRSAEncryption
59    Signature Value:
60        bb:61:d9:7d:a9:6c:be:17:c4:91:1b:c3:a1:a2:00:8d:e3:64:
61        68:0f:56:cf:77:ae:70:f9:fd:9a:4a:99:b9:c9:78:5c:0c:0c:
62        5f:e4:e6:14:29:56:0b:36:49:5d:44:63:e0:ad:9c:96:18:66:
63        1b:23:0d:3d:79:e9:6d:6b:d6:54:f8:d2:3c:c1:43:40:ae:1d:
64        50:f5:52:fc:90:3b:bb:98:99:69:6b:c7:c1:a7:a8:68:a4:27:
65        dc:9d:f9:27:ae:30:85:b9:f6:67:4d:3a:3e:8f:59:39:22:53:
66        44:eb:c8:5d:03:ca:ed:50:7a:7d:62:21:0a:80:c8:73:66:d1:
67        a0:05:60:5f:e8:a5:b4:a7:af:a8:f7:6d:35:9c:7c:5a:8a:d6:
68        a2:38:99:f3:78:8b:f4:4d:d2:20:0b:de:04:ee:8c:9b:47:81:
69        72:0d:c0:14:32:ef:30:59:2e:ae:e0:71:f2:56:e4:6a:97:6f:
70        92:50:6d:96:8d:68:7a:9a:b2:36:14:7a:06:f2:24:b9:09:11:
71        50:d7:08:b1:b8:89:7a:84:23:61:42:29:e5:a3:cd:a2:20:41:
72        d7:d1:9c:64:d9:ea:26:a1:8b:14:d7:4c:19:b2:50:41:71:3d:
73        3f:4d:70:23:86:0c:4a:dc:81:d2:cc:32:94:84:0d:08:09:97:
74        1c:4f:c0:ee:6b:20:74:30:d2:e0:39:34:10:85:21:15:01:08:
75        e8:55:32:de:71:49:d9:28:17:50:4d:e6:be:4d:d1:75:ac:d0:
76        ca:fb:41:b8:43:a5:aa:d3:c3:05:44:4f:2c:36:9b:e2:fa:e2:
77        45:b8:23:53:6c:06:6f:67:55:7f:46:b5:4c:3f:6e:28:5a:79:
78        26:d2:a4:a8:62:97:d2:1e:e2:ed:4a:8b:bc:1b:fd:47:4a:0d:
79        df:67:66:7e:b2:5b:41:d0:3b:e4:f4:3b:f4:04:63:e9:ef:c2:
80        54:00:51:a0:8a:2a:c9:ce:78:cc:d5:ea:87:04:18:b3:ce:af:
81        49:88:af:f3:92:99:b6:b3:e6:61:0f:d2:85:00:e7:50:1a:e4:
82        1b:95:9d:19:a1:b9:9c:b1:9b:b1:00:1e:ef:d0:0f:4f:42:6c:
83        c9:0a:bc:ee:43:fa:3a:71:a5:c8:4d:26:a5:35:fd:89:5d:bc:
84        85:62:1d:32:d2:a0:2b:54:ed:9a:57:c1:db:fa:10:cf:19:b7:
85        8b:4a:1b:8f:01:b6:27:95:53:e8:b6:89:6d:5b:bc:68:d4:23:
86        e8:8b:51:a2:56:f9:f0:a6:80:a0:d6:1e:b3:bc:0f:0f:53:75:
87        29:aa:ea:13:77:e4:de:8c:81:21:ad:07:10:47:11:ad:87:3d:
88        07:d1:75:bc:cf:f3:66:7e

laanwj commented at 1:49 pm on May 26, 2022: member

Metadata-only diff of our cert only, before and after this PR:

 0--- a/01.txt	2022-05-26 15:47:38.796449649 +0200
 1+++ b/01.txt	2022-05-26 15:48:07.652166313 +0200
 2@@ -2,12 +2,12 @@
 3     Data:
 4         Version: 3 (0x2)
 5         Serial Number:
 6-            05:23:7b:0a:6d:7a:67:45:13:f6:9e:e5:03:68:e2:28
 7+            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
 8         Signature Algorithm: sha256WithRSAEncryption
 9-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
10+        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
11         Validity
12-            Not Before: May 21 00:00:00 2021 GMT
13-            Not After : May 26 23:59:59 2022 GMT
14+            Not Before: May 24 00:00:00 2022 GMT
15+            Not After : May 29 23:59:59 2024 GMT
16         Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
17         Subject Public Key Info:
18             Public Key Algorithm: rsaEncryption
19@@ -16,25 +16,24 @@
20                 Exponent: 65537 (0x10001)
21         X509v3 extensions:
22             X509v3 Authority Key Identifier: 
23-                5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58
24+                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
25             X509v3 Subject Key Identifier: 
26-                55:22:ED:66:78:9F:10:7B:DD:F3:3D:C4:EC:0C:8B:60:DB:83:89:A3
27+                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
28             X509v3 Key Usage: critical
29                 Digital Signature
30             X509v3 Extended Key Usage: 
31                 Code Signing
32             X509v3 CRL Distribution Points: 
33                 Full Name:
34-                  URI:http://crl3.digicert.com/sha2-assured-cs-g1.crl
35+                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
36                 Full Name:
37-                  URI:http://crl4.digicert.com/sha2-assured-cs-g1.crl
38+                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
39             X509v3 Certificate Policies: 
40-                Policy: 2.16.840.1.114412.3.1
41-                  CPS: http://www.digicert.com/CPS
42                 Policy: 2.23.140.1.4.1
43+                  CPS: http://www.digicert.com/CPS
44             Authority Information Access: 
45                 OCSP - URI:http://ocsp.digicert.com
46-                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
47+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
48             X509v3 Basic Constraints: critical
49                 CA:FALSE
50     Signature Algorithm: sha256WithRSAEncryption

laanwj commented at 1:54 pm on May 26, 2022: member

ACK 7e9fe6d800ee8f3381e8f6ad2371f7775c68fad9

I have checked the changes made here in as far as I could and they look correct to me, and to form a correct certificate chain.

achow101 commented at 3:11 pm on May 26, 2022: member

I have signed the following message (uploaded as the file transfer.txt) with both the old and new keys:

0The new windows code signing key has the serial number 0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
1SHA256 fingerprint 88:FC:C8:B3:97:1A:32:4C:06:8E:CF:FE:D6:9F:16:43:74:EC:AD:3B:94:54:4D:33:EE:EB:16:0D:61:10:C0:BE
2and expires on May 29 23:59:59 2024 GMT.
3
4The current block hash is 00000000000000000006ed567004da1d3fae7fc5fe5e5d5587fbba1e7884270e.

Signature with old key (uploaded as the file transfer.asc.txt):

 0-----BEGIN PKCS7-----
 1MIID0QYJKoZIhvcNAQcCoIIDwjCCA74CAQExDzANBglghkgBZQMEAgEFADALBgkq
 2hkiG9w0BBwExggOZMIIDlQIBATCBhjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
 3RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD
 4EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBAhAFI3sK
 5bXpnRRP2nuUDaOIoMA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkq
 6hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDUyNjE0NTczMVowLwYJKoZIhvcN
 7AQkEMSIEIOjoYNEuna+TFv9Sy03C3FrQB4oomHsd8fipPXwMPXeYMHkGCSqGSIb3
 8DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIw
 9CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO
10AwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIICAHhyip1eaA+P8BFv
11du4a28c3U8fRcSZa4MhssoAGM3mDt14/FPowOYljgXB4V+YhDfo7MIrWJ5sLzGy+
12wnTETCxjyDDo2VyNWaeosnAFZl3v89/omcLaq/UtThzrJI8dNqWxWOJwP6L0R0kK
13SYb2Z/tmsJH1EAPdCDqzRinTZXc9gbZ6iceun7QDzL+QBOnXkYTTnTO4nXPRqWOK
146NI96C/+pIu+s1i/6pjIKeRrt7YAn92kc6zl1yUejZk3T9cC46hIxDGVBv6D2AOc
1506MnQ2si0BK9KtzjhAU39ZMIgCKICZlJpSeUrd854uFex8TR5zeHNOpki9vEBSqg
16ZVO58abYDfIGsY/bf6EdtUIxOY0iVlcDe3oCv+WHInnaQrR7mcj8V8lrqOMM7blg
17zCpEA/Gi3il2TQdZqJXWMmJ9RLqsS2Vw61j5ybdpJp6wNyNwCAr40asfDm4YGDF3
181QdLpMjoPdYLLjf6PNXJa4oQIP3CL0XJxdRQYw9ehmOv9BOLtQjd0Q+NPYro1BMt
19MetXO/Y8YrYl33X3+xtpcGfH14bN90IDjivx9QRwLLcbY7xYWfWpUDy0zPsiMWrW
206os7h9beWnFWH8tcDjxsqww0sueWuuitOjFhIHxrS+S4RnbGzxRIxL+FICiY3xQh
21YuM5GiJReQwppiiNj9B+k+LIG+Oz
22-----END PKCS7-----

This can be verified using the following command on master (with the old code signing cert):

0openssl cms -verify -in transfer.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

Signature with new key (uploaded as the file newkey.asc.txt):

 0-----BEGIN PKCS7-----
 1MIIDxwYJKoZIhvcNAQcCoIIDuDCCA7QCAQExDzANBglghkgBZQMEAgEFADALBgkq
 2hkiG9w0BBwExggOPMIIDiwIBATB9MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5E
 3aWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2Rl
 4IFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTECEAplb3UGpe9lNkMW1E09
 50kUwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
 6BgkqhkiG9w0BCQUxDxcNMjIwNTI2MTUwMDUxWjAvBgkqhkiG9w0BCQQxIgQg6Ohg
 70S6dr5MW/1LLTcLcWtAHiiiYex3x+Kk9fAw9d5gweQYJKoZIhvcNAQkPMWwwajAL
 8BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D
 9BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
10hvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggIALx8cLAPRGaCvhPamNaXKAquevh0M
11cwUq7/6Ms50pwL919iEu7iTShyVCjhNxykZ+DlzogT3Q0L8lfKpXljL2v3Ap/OOj
12C6R/0UzO3Sb0JQHrWRTJT0rlx3lN34EQjAFUIVzqU1OOlwBeS5km75Q5/rGg5IHo
13XzDHPSZyYC/EfAxhMznH2xdM5M8z5Fq/qAO6BkXKl54wliD9QfU5ZOGjrOz09DAt
14DBKJyoFntVj3IciKjqZGhasTsyzGph0nJth/TvOVSeHYvW4Or6lVu6Dkeg6gaPtZ
15NK2vjbSfp4GmLjxrefqtYwfamFEkvUSTsuo5xfVzhLTmcXnqHHzbePx+qWMLutAF
16aBlxovpUN4AJ4ltQP4O5xRJHPC9+G4eM7YfGT1D9imS9hQyGs0kkaOR3/saWs4Yc
17Vj5ANi/zG8XkKTy+tq+e9Vcn5xuThopYpbes1HpD7Dnt6drrYovHSWMy6P7913om
18WaDU6R6tnBs920NrVfjurQYJ51C5TblqQozawmm6yhJhga7EDofwPu/baEqS9Ey3
19GfJJNeZxxG62PAQ/nX3vBPwjWFj/5Fl8fi5V8Fv4SxiEtGfDraiCLBMIK15i5hgI
20iHTRVW7QLiel90DVapuknH9BLaNk+ttOZISSCHJsztWWR1po6VecTWivB8hTXWBl
219fV9ox3kR0MMod4=
22-----END PKCS7-----

This can be verified using the following command on this branch (with the new code signing cert):

0openssl cms -verify -in newkey.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

fanquake approved

fanquake commented at 9:59 am on May 27, 2022: member

ACK 7e9fe6d800ee8f3381e8f6ad2371f7775c68fad9 - tested above with OpenSSL 3 & faketime.

fanquake merged this on May 27, 2022

fanquake closed this on May 27, 2022

fanquake referenced this in commit bd6d3ac8b7 on Jun 9, 2022

fanquake removed the label Needs backport (23.x) on Jun 9, 2022

fanquake commented at 11:27 am on June 9, 2022: member

Backported to 23.x in #25316.

fanquake referenced this in commit c4aacfbf65 on Jun 9, 2022

fanquake removed the label Needs backport (22.x) on Jun 9, 2022

fanquake commented at 11:33 am on June 9, 2022: member

Backported to 22.x in #25317.

laanwj referenced this in commit cfb0eea91e on Jun 10, 2022

MarcoFalke referenced this in commit a33ec8a693 on Jul 8, 2022

DrahtBot locked this on Jun 9, 2023

windeploy: Renewed windows code signing certificate #25201