Skip to content

windeploy: Renewed windows code signing certificate #25201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fanquake merged 1 commit into from
May 27, 2022
Merged

windeploy: Renewed windows code signing certificate #25201

fanquake merged 1 commit into from
May 27, 2022

Conversation

@achow101
Copy link
Member

@achow101 achow101 commented May 24, 2022

The current windows code signing certificate expires on May 26 23:59:59 2022 GMT. I have purchased a new code signing certificate which will expire on May 29 23:59:59 2024 GMT.

@laanwj
Copy link
Member

laanwj commented May 24, 2022

Concept ACK, thanks for updating the cert.

@laanwj
Copy link
Member

laanwj commented May 26, 2022

This is the data inside the certificates file, dumped with:

$ csplit contrib/windeploy/win-codesign.cert '/-----BEGIN CERTIFICATE-----/' '{*}'
$ openssl x509 -in xx01 -text 
$ openssl x509 -in xx02 -text 
$ openssl x509 -in xx03 -text 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: May 24 00:00:00 2022 GMT
            Not After : May 29 23:59:59 2024 GMT
        Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:b0:c5:f8:f3:b6:e4:53:0c:d0:06:7f:bc:e4:
                    aa:a5:8d:12:dd:bc:09:99:95:24:7a:18:96:d5:51:
                    c6:d1:35:04:fe:39:05:f9:a9:b4:7e:5e:33:52:42:
                    fd:7a:2c:4c:fc:ad:1d:11:5e:3a:43:b8:61:50:2d:
                    88:42:f1:2b:d4:bf:f3:63:99:94:a0:3b:33:1e:cf:
                    5b:ab:ef:d7:5f:38:bb:cf:a6:3f:75:a9:4c:df:ca:
                    01:94:da:5b:d7:c1:d0:42:d3:48:2b:aa:b2:f5:ea:
                    d9:ca:cc:d9:3e:cd:b9:d2:67:4b:25:a1:d9:50:63:
                    2d:f3:cf:08:07:18:c3:3c:86:29:06:e5:8d:05:a3:
                    14:42:43:25:61:4a:f3:7b:7d:98:af:ef:d1:64:20:
                    03:78:c6:25:e6:b3:f9:5e:82:61:73:12:ed:48:29:
                    74:6f:1d:52:18:3d:a3:ad:e0:60:96:40:5b:9a:58:
                    44:8b:0d:45:c2:42:33:92:c7:87:01:0c:5b:9d:f6:
                    f5:4b:13:99:80:9f:3f:bf:f9:dd:e9:9e:a5:b4:34:
                    9f:c8:a3:55:98:e0:68:9f:8b:67:c3:6c:a4:12:d2:
                    78:28:85:f5:43:c2:29:7f:36:b9:68:90:01:44:db:
                    60:70:9f:4a:2d:c8:d1:fd:f0:42:27:57:2f:d6:58:
                    f8:f5:e6:6a:53:3b:04:cb:90:f9:cd:b1:11:c9:7d:
                    ec:29:e1:ac:3c:f1:10:1c:19:be:f3:82:f7:01:a8:
                    1b:ef:3e:7a:95:78:4e:35:19:59:ff:bb:40:dd:59:
                    61:e8:35:ad:a8:bb:73:b7:3c:bb:d2:0b:a2:01:3c:
                    b2:ed:b1:56:8c:f7:df:74:c7:08:3b:d2:70:88:27:
                    41:79:a4:f9:c6:ca:30:1b:60:f6:43:34:17:e6:8b:
                    5a:c3:76:c5:57:f4:b8:08:f7:53:bb:1d:5c:ba:df:
                    25:e5:b4:0d:92:24:b5:6b:53:05:0c:d7:3b:f3:84:
                    e0:a6:be:d5:61:67:0e:0d:07:24:88:a1:d1:c4:e3:
                    97:d6:18:bd:f7:b9:dc:be:29:08:6c:be:a8:6b:7f:
                    5c:60:51:a8:23:1f:5e:9d:e0:f8:7f:45:19:1e:6b:
                    a5:e9:ec:55:57:2c:ae:fd:c6:6d:37:d8:76:5a:5d:
                    9a:9f:4e:1c:7e:46:e7:b1:93:01:9b:9e:a1:b0:99:
                    83:ba:fb:44:a2:b4:cc:f5:3d:12:24:cb:27:1c:f2:
                    5e:e6:a2:bf:f2:ac:77:c7:88:84:74:63:7b:03:1a:
                    42:e0:2d:40:cd:6d:3b:ea:0a:01:b2:c5:d2:fd:8c:
                    ee:fe:ff:69:54:fb:e9:7d:f6:26:59:58:02:2c:e6:
                    df:38:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
            X509v3 Subject Key Identifier: 
                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.4.1
                  CPS: http://www.digicert.com/CPS
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        18:69:4d:9b:9f:47:0b:35:be:bb:48:d3:10:75:fd:45:ab:48:
        42:71:74:f1:e2:bd:fa:57:13:bd:3c:77:3b:a6:26:1d:d3:17:
        3a:6c:11:40:90:5f:90:49:25:eb:75:97:bc:7d:da:c2:8d:78:
        02:fb:be:8b:40:fb:c3:bc:62:f3:03:eb:82:a2:9b:b5:4a:03:
        60:41:f0:03:87:29:06:e9:af:57:36:89:90:70:c2:87:c8:9e:
        f8:91:62:fb:2b:bd:0b:5a:e8:a0:72:d8:a3:9e:d4:bf:e5:d0:
        a9:e9:51:ac:cb:f5:3b:f8:54:ab:ee:58:0c:3f:41:cd:3f:79:
        34:2b:35:94:6c:98:00:ce:47:19:d9:d6:a5:be:4a:91:7e:fd:
        66:da:cc:86:23:a1:df:ce:a9:bd:54:de:89:fe:3f:3c:a2:18:
        3d:d2:8f:33:61:b1:d1:51:a6:da:b3:ac:86:98:51:55:7e:d9:
        71:c6:e1:f3:7a:03:cc:24:c9:02:f9:34:85:57:1a:22:bb:ae:
        a4:b9:56:b4:40:bf:9f:0b:7f:56:59:4e:08:5d:00:bf:b9:4b:
        24:84:d0:eb:11:f6:dd:0a:5b:bd:d9:07:da:71:6e:e6:59:e9:
        97:f1:8e:8b:63:c3:e2:22:94:21:26:dc:00:db:73:b1:1b:da:
        28:c8:e3:1f:26:8b:1d:17:58:c5:2b:84:bd:f8:b3:bf:e3:47:
        20:e2:3f:ed:f4:69:28:23:5a:9e:b5:d6:da:7f:11:84:56:e6:
        4a:48:68:54:7c:01:eb:03:74:cd:03:49:20:82:45:73:8c:c1:
        01:b6:4e:ad:be:0a:7a:88:b4:1e:68:2c:d3:e9:d9:7c:92:c2:
        52:16:be:68:db:ce:c4:44:7c:8a:44:df:28:77:6f:19:87:63:
        eb:c5:21:cd:91:d2:73:64:6d:63:48:4f:a0:06:b5:a1:10:ee:
        85:a4:82:92:bc:60:c9:00:40:27:f8:11:40:b8:41:ae:ea:1e:
        21:fa:61:29:98:26:18:c0:a4:12:c2:ed:40:f0:7a:f8:30:c6:
        e0:eb:c2:29:96:02:3f:ad:0e:4c:dd:9c:43:4c:70:1a:78:48:
        0c:ba:2f:05:2e:0e:2d:88:53:a1:d1:49:75:9d:87:66:04:90:
        36:dc:dc:57:70:92:79:e7:11:66:81:e1:d9:51:2f:ce:58:8c:
        7c:8b:5c:dd:0a:88:4e:d2:29:38:f5:2d:f4:78:74:67:83:a9:
        55:25:0e:3f:43:e7:e5:f8:6b:b1:7c:f7:02:cf:fe:e9:b8:d3:
        fe:76:1d:44:2f:e6:de:56:70:da:ff:e3:ba:fd:69:59:31:f4:
        31:ec:d5:bf:28:52:72:e0

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Validity
            Not Before: Apr 29 00:00:00 2021 GMT
            Not After : Apr 28 23:59:59 2036 GMT
        Subject: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d5:b4:2f:42:d0:28:ad:78:b7:5d:d5:39:59:1b:
                    b1:88:42:f5:33:8c:eb:3d:81:97:70:c5:bb:c4:85:
                    26:30:9f:a4:8e:68:d8:5c:f5:eb:34:24:07:e1:4b:
                    4f:d3:78:43:f4:17:d7:1e:da:f9:d2:d5:67:1a:52:
                    4f:0e:a1:57:fc:88:99:c1:91:cc:81:03:3e:4d:70:
                    24:64:b3:8d:e2:08:7d:34:7d:4c:80:57:12:6b:43:
                    9a:99:f2:c5:3b:1f:f2:ef:cb:47:5a:13:a6:4c:b3:
                    01:20:25:f3:10:d3:8b:b2:fb:08:f0:8a:e0:9d:09:
                    c0:65:a7:fa:98:80:49:35:87:3d:51:19:e8:90:21:
                    78:45:2e:a1:9f:2c:e1:18:c2:1a:cc:c5:ee:93:49:
                    70:42:32:8f:fb:c6:ea:1c:f3:65:68:91:a2:4d:4c:
                    82:11:48:52:68:de:10:bd:14:57:5d:e8:18:13:65:
                    c5:7f:b2:4f:85:2c:48:a4:56:84:35:d6:f9:2e:9c:
                    aa:00:15:d1:37:fe:1a:06:94:c2:7c:c8:ea:1b:32:
                    e6:ca:c2:f4:a7:a3:03:0e:74:a5:af:39:b6:ab:60:
                    12:e3:e8:d6:b9:f7:31:e1:dc:ad:e4:18:a0:d8:c1:
                    23:47:47:b3:a1:0f:6e:a3:ab:6d:98:06:83:1b:b7:
                    6a:67:2d:d2:bd:44:1a:92:10:81:8f:b0:3b:09:d7:
                    c7:9b:32:5a:c2:ff:6a:60:54:8b:49:c1:93:ed:e1:
                    b4:5c:e0:6f:eb:26:f9:8c:d5:b2:f9:38:10:e6:ea:
                    ce:91:f5:be:d3:fb:6f:93:61:34:5c:bc:93:45:28:
                    83:36:2a:66:28:5f:b0:73:ce:8b:26:25:06:b2:83:
                    d4:5c:f6:15:19:4c:ed:62:e0:5e:33:f2:e8:e8:ec:
                    0a:a7:b0:03:2b:91:b2:36:79:be:f7:ad:08:1e:75:
                    a6:65:cc:bb:e3:48:50:f3:77:91:1a:fe:db:50:a2:
                    46:c8:61:58:98:f5:7c:02:16:3c:83:28:ad:39:86:
                    ec:d4:b7:0d:53:d0:f8:47:e6:75:30:8d:ec:30:93:
                    76:14:a6:5b:4b:5d:74:61:4d:3f:12:91:76:de:bf:
                    58:cb:72:10:29:41:f0:d5:c5:6d:26:76:68:11:41:
                    13:58:9a:dc:26:2b:01:f4:89:4d:59:db:78:cf:81:
                    4a:3e:40:47:5f:c9:81:50:73:85:10:23:21:59:60:
                    8a:64:54:c1:cc:21:1a:e8:38:19:7c:66:1c:cd:78:
                    38:45:30:99:4f:ff:63:4f:4c:bb:aa:0d:08:53:41:
                    7c:58:3d:47:b3:fa:b6:ec:8c:32:09:02:cc:6c:3c:
                    0c:56:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
            X509v3 Authority Key Identifier: 
                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                Code Signing
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.3
                Policy: 2.23.140.1.4.1
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        3a:23:44:3d:8d:08:76:ee:8f:bc:3a:99:d3:56:e0:02:1a:a5:
        f8:48:34:f3:2c:b6:e6:74:66:f7:94:72:b1:00:ca:af:6c:30:
        27:13:12:9e:90:44:9f:4b:fd:9e:a3:7c:26:d5:37:bc:3a:5d:
        48:6d:95:d5:3f:49:f4:27:bb:16:81:45:50:fd:9c:bd:b6:85:
        e0:76:7e:37:71:cb:22:f7:5a:aa:90:cf:f5:93:6a:e3:eb:20:
        d1:d5:50:79:88:9a:8a:8a:c1:b6:bd:a1:48:18:7e:dc:d8:80:
        1a:11:19:18:cd:61:99:81:56:f6:c9:e3:76:e7:c4:e4:1b:5f:
        43:f8:3e:94:ff:76:39:3d:9e:d4:99:cf:4a:dd:28:eb:5f:26:
        a1:95:58:48:d5:1a:fe:d7:27:3f:fd:90:d1:76:86:dd:1c:b0:
        60:5c:f3:0d:a8:ee:e0:89:a1:bd:39:e1:38:4e:da:6e:bb:36:
        9d:fb:e5:21:53:5a:c3:ca:e9:6a:f1:a2:3e:db:43:b8:33:c8:
        4f:38:14:92:99:f5:dd:ce:54:6d:d9:5d:02:14:1f:40:33:7c:
        03:e2:95:b2:c2:21:75:73:52:cb:46:d8:c4:34:1c:a2:a5:4b:
        8d:cd:6f:76:37:2c:85:3f:1a:ce:26:e9:18:be:90:07:b0:43:
        7f:95:88:20:82:70:f0:cc:ca:ef:fd:29:35:5c:1f:89:38:55:
        f7:37:8a:8b:09:a1:cb:0b:e9:31:1a:ff:2e:19:5c:39:71:e1:
        be:9c:a7:0a:06:d6:26:67:b7:92:e6:4e:5f:de:7a:ac:49:cf:
        2e:a4:74:92:ad:db:3c:a4:9c:86:1f:e3:c1:56:1b:2b:23:ff:
        8f:b5:ea:88:7b:70:6b:e6:a0:ba:fd:3a:3f:45:a6:c4:e8:16:
        91:52:8b:41:c0:48:84:4b:96:4d:ab:44:40:e3:8d:f0:15:28:
        ce:ed:f1:18:56:07:2a:2f:10:c4:0c:08:64:3c:33:8f:ae:28:
        8c:3c:cb:8f:88:0b:0d:bf:3b:f4:ce:1e:7b:8e:ef:b5:eb:cb:
        b7:f0:77:13:e6:e7:28:3f:ac:12:ae:a5:2f:22:6c:41:f9:82:
        5c:15:66:cc:6c:0e:ca:c5:86:c3:f6:26:33:0c:07:4b:a0:d3:
        07:02:6a:6a:40:30:48:4b:34:a8:51:20:bb:ad:1b:85:08:e2:
        59:0d:6d:ca:05:50:2b:ea:4a:1c:9e:a5:fd:a0:a7:1f:06:74:
        e7:f2:d6:52:90:fd:af:85:48:21:f9:57:3b:b4:9c:03:ed:86:
        45:f4:b4:61:6e:bf:68:e2:26:60:86:ea:c8:af:a9:fe:94:1d:
        e7:63:1b:3a:86:56:78:4e

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Validity
            Not Before: Aug  1 12:00:00 2013 GMT
            Not After : Jan 15 12:00:00 2038 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bf:e6:90:73:68:de:bb:e4:5d:4a:3c:30:22:30:
                    69:33:ec:c2:a7:25:2e:c9:21:3d:f2:8a:d8:59:c2:
                    e1:29:a7:3d:58:ab:76:9a:cd:ae:7b:1b:84:0d:c4:
                    30:1f:f3:1b:a4:38:16:eb:56:c6:97:6d:1d:ab:b2:
                    79:f2:ca:11:d2:e4:5f:d6:05:3c:52:0f:52:1f:c6:
                    9e:15:a5:7e:be:9f:a9:57:16:59:55:72:af:68:93:
                    70:c2:b2:ba:75:99:6a:73:32:94:d1:10:44:10:2e:
                    df:82:f3:07:84:e6:74:3b:6d:71:e2:2d:0c:1b:ee:
                    20:d5:c9:20:1d:63:29:2d:ce:ec:5e:4e:c8:93:f8:
                    21:61:9b:34:eb:05:c6:5e:ec:5b:1a:bc:eb:c9:cf:
                    cd:ac:34:40:5f:b1:7a:66:ee:77:c8:48:a8:66:57:
                    57:9f:54:58:8e:0c:2b:b7:4f:a7:30:d9:56:ee:ca:
                    7b:5d:e3:ad:c9:4f:5e:e5:35:e7:31:cb:da:93:5e:
                    dc:8e:8f:80:da:b6:91:98:40:90:79:c3:78:c7:b6:
                    b1:c4:b5:6a:18:38:03:10:8d:d8:d4:37:a4:2e:05:
                    7d:88:f5:82:3e:10:91:70:ab:55:82:41:32:d7:db:
                    04:73:2a:6e:91:01:7c:21:4c:d4:bc:ae:1b:03:75:
                    5d:78:66:d9:3a:31:44:9a:33:40:bf:08:d7:5a:49:
                    a4:c2:e6:a9:a0:67:dd:a4:27:bc:a1:4f:39:b5:11:
                    58:17:f7:24:5c:46:8f:64:f7:c1:69:88:76:98:76:
                    3d:59:5d:42:76:87:89:97:69:7a:48:f0:e0:a2:12:
                    1b:66:9a:74:ca:de:4b:1e:e7:0e:63:ae:e6:d4:ef:
                    92:92:3a:9e:3d:dc:00:e4:45:25:89:b6:9a:44:19:
                    2b:7e:c0:94:b4:d2:61:6d:eb:33:d9:c5:df:4b:04:
                    00:cc:7d:1c:95:c3:8f:f7:21:b2:b2:11:b7:bb:7f:
                    f2:d5:8c:70:2c:41:60:aa:b1:63:18:44:95:1a:76:
                    62:7e:f6:80:b0:fb:e8:64:a6:33:d1:89:07:e1:bd:
                    b7:e6:43:a4:18:b8:a6:77:01:e1:0f:94:0c:21:1d:
                    b2:54:29:25:89:6c:e5:0e:52:51:47:74:be:26:ac:
                    b6:41:75:de:7a:ac:5f:8d:3f:c9:bc:d3:41:11:12:
                    5b:e5:10:50:eb:31:c5:ca:72:16:22:09:df:7c:4c:
                    75:3f:63:ec:21:5f:c4:20:51:6b:6f:b1:ab:86:8b:
                    4f:c2:d6:45:5f:9d:20:fc:a1:1e:c5:c0:8f:a2:b1:
                    7e:0a:26:99:f5:e4:69:2f:98:1d:2d:f5:d9:a9:b2:
                    1d:e5:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        bb:61:d9:7d:a9:6c:be:17:c4:91:1b:c3:a1:a2:00:8d:e3:64:
        68:0f:56:cf:77:ae:70:f9:fd:9a:4a:99:b9:c9:78:5c:0c:0c:
        5f:e4:e6:14:29:56:0b:36:49:5d:44:63:e0:ad:9c:96:18:66:
        1b:23:0d:3d:79:e9:6d:6b:d6:54:f8:d2:3c:c1:43:40:ae:1d:
        50:f5:52:fc:90:3b:bb:98:99:69:6b:c7:c1:a7:a8:68:a4:27:
        dc:9d:f9:27:ae:30:85:b9:f6:67:4d:3a:3e:8f:59:39:22:53:
        44:eb:c8:5d:03:ca:ed:50:7a:7d:62:21:0a:80:c8:73:66:d1:
        a0:05:60:5f:e8:a5:b4:a7:af:a8:f7:6d:35:9c:7c:5a:8a:d6:
        a2:38:99:f3:78:8b:f4:4d:d2:20:0b:de:04:ee:8c:9b:47:81:
        72:0d:c0:14:32:ef:30:59:2e:ae:e0:71:f2:56:e4:6a:97:6f:
        92:50:6d:96:8d:68:7a:9a:b2:36:14:7a:06:f2:24:b9:09:11:
        50:d7:08:b1:b8:89:7a:84:23:61:42:29:e5:a3:cd:a2:20:41:
        d7:d1:9c:64:d9:ea:26:a1:8b:14:d7:4c:19:b2:50:41:71:3d:
        3f:4d:70:23:86:0c:4a:dc:81:d2:cc:32:94:84:0d:08:09:97:
        1c:4f:c0:ee:6b:20:74:30:d2:e0:39:34:10:85:21:15:01:08:
        e8:55:32:de:71:49:d9:28:17:50:4d:e6:be:4d:d1:75:ac:d0:
        ca:fb:41:b8:43:a5:aa:d3:c3:05:44:4f:2c:36:9b:e2:fa:e2:
        45:b8:23:53:6c:06:6f:67:55:7f:46:b5:4c:3f:6e:28:5a:79:
        26:d2:a4:a8:62:97:d2:1e:e2:ed:4a:8b:bc:1b:fd:47:4a:0d:
        df:67:66:7e:b2:5b:41:d0:3b:e4:f4:3b:f4:04:63:e9:ef:c2:
        54:00:51:a0:8a:2a:c9:ce:78:cc:d5:ea:87:04:18:b3:ce:af:
        49:88:af:f3:92:99:b6:b3:e6:61:0f:d2:85:00:e7:50:1a:e4:
        1b:95:9d:19:a1:b9:9c:b1:9b:b1:00:1e:ef:d0:0f:4f:42:6c:
        c9:0a:bc:ee:43:fa:3a:71:a5:c8:4d:26:a5:35:fd:89:5d:bc:
        85:62:1d:32:d2:a0:2b:54:ed:9a:57:c1:db:fa:10:cf:19:b7:
        8b:4a:1b:8f:01:b6:27:95:53:e8:b6:89:6d:5b:bc:68:d4:23:
        e8:8b:51:a2:56:f9:f0:a6:80:a0:d6:1e:b3:bc:0f:0f:53:75:
        29:aa:ea:13:77:e4:de:8c:81:21:ad:07:10:47:11:ad:87:3d:
        07:d1:75:bc:cf:f3:66:7e

@laanwj
Copy link
Member

laanwj commented May 26, 2022

Metadata-only diff of our cert only, before and after this PR:

--- a/01.txt	2022-05-26 15:47:38.796449649 +0200
+++ b/01.txt	2022-05-26 15:48:07.652166313 +0200
@@ -2,12 +2,12 @@
     Data:
         Version: 3 (0x2)
         Serial Number:
-            05:23:7b:0a:6d:7a:67:45:13:f6:9e:e5:03:68:e2:28
+            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
+        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
         Validity
-            Not Before: May 21 00:00:00 2021 GMT
-            Not After : May 26 23:59:59 2022 GMT
+            Not Before: May 24 00:00:00 2022 GMT
+            Not After : May 29 23:59:59 2024 GMT
         Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -16,25 +16,24 @@
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Authority Key Identifier: 
-                5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58
+                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
             X509v3 Subject Key Identifier: 
-                55:22:ED:66:78:9F:10:7B:DD:F3:3D:C4:EC:0C:8B:60:DB:83:89:A3
+                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
             X509v3 Key Usage: critical
                 Digital Signature
             X509v3 Extended Key Usage: 
                 Code Signing
             X509v3 CRL Distribution Points: 
                 Full Name:
-                  URI:http://crl3.digicert.com/sha2-assured-cs-g1.crl
+                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                 Full Name:
-                  URI:http://crl4.digicert.com/sha2-assured-cs-g1.crl
+                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
             X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114412.3.1
-                  CPS: http://www.digicert.com/CPS
                 Policy: 2.23.140.1.4.1
+                  CPS: http://www.digicert.com/CPS
             Authority Information Access: 
                 OCSP - URI:http://ocsp.digicert.com
-                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
             X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption

@laanwj
Copy link
Member

laanwj commented May 26, 2022

ACK 7e9fe6d

I have checked the changes made here in as far as I could and they look correct to me, and to form a correct certificate chain.

@achow101
Copy link
Member Author

achow101 commented May 26, 2022

I have signed the following message (uploaded as the file transfer.txt) with both the old and new keys:

The new windows code signing key has the serial number 0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
SHA256 fingerprint 88:FC:C8:B3:97:1A:32:4C:06:8E:CF:FE:D6:9F:16:43:74:EC:AD:3B:94:54:4D:33:EE:EB:16:0D:61:10:C0:BE
and expires on May 29 23:59:59 2024 GMT.

The current block hash is 00000000000000000006ed567004da1d3fae7fc5fe5e5d5587fbba1e7884270e.

Signature with old key (uploaded as the file transfer.asc.txt):

-----BEGIN PKCS7-----
MIID0QYJKoZIhvcNAQcCoIIDwjCCA74CAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwExggOZMIIDlQIBATCBhjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD
EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBAhAFI3sK
bXpnRRP2nuUDaOIoMA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDUyNjE0NTczMVowLwYJKoZIhvcN
AQkEMSIEIOjoYNEuna+TFv9Sy03C3FrQB4oomHsd8fipPXwMPXeYMHkGCSqGSIb3
DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO
AwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIICAHhyip1eaA+P8BFv
du4a28c3U8fRcSZa4MhssoAGM3mDt14/FPowOYljgXB4V+YhDfo7MIrWJ5sLzGy+
wnTETCxjyDDo2VyNWaeosnAFZl3v89/omcLaq/UtThzrJI8dNqWxWOJwP6L0R0kK
SYb2Z/tmsJH1EAPdCDqzRinTZXc9gbZ6iceun7QDzL+QBOnXkYTTnTO4nXPRqWOK
6NI96C/+pIu+s1i/6pjIKeRrt7YAn92kc6zl1yUejZk3T9cC46hIxDGVBv6D2AOc
06MnQ2si0BK9KtzjhAU39ZMIgCKICZlJpSeUrd854uFex8TR5zeHNOpki9vEBSqg
ZVO58abYDfIGsY/bf6EdtUIxOY0iVlcDe3oCv+WHInnaQrR7mcj8V8lrqOMM7blg
zCpEA/Gi3il2TQdZqJXWMmJ9RLqsS2Vw61j5ybdpJp6wNyNwCAr40asfDm4YGDF3
1QdLpMjoPdYLLjf6PNXJa4oQIP3CL0XJxdRQYw9ehmOv9BOLtQjd0Q+NPYro1BMt
MetXO/Y8YrYl33X3+xtpcGfH14bN90IDjivx9QRwLLcbY7xYWfWpUDy0zPsiMWrW
6os7h9beWnFWH8tcDjxsqww0sueWuuitOjFhIHxrS+S4RnbGzxRIxL+FICiY3xQh
YuM5GiJReQwppiiNj9B+k+LIG+Oz
-----END PKCS7-----

This can be verified using the following command on master (with the old code signing cert):

openssl cms -verify -in transfer.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

Signature with new key (uploaded as the file newkey.asc.txt):

-----BEGIN PKCS7-----
MIIDxwYJKoZIhvcNAQcCoIIDuDCCA7QCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwExggOPMIIDiwIBATB9MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5E
aWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2Rl
IFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTECEAplb3UGpe9lNkMW1E09
0kUwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMjIwNTI2MTUwMDUxWjAvBgkqhkiG9w0BCQQxIgQg6Ohg
0S6dr5MW/1LLTcLcWtAHiiiYex3x+Kk9fAw9d5gweQYJKoZIhvcNAQkPMWwwajAL
BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
hvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggIALx8cLAPRGaCvhPamNaXKAquevh0M
cwUq7/6Ms50pwL919iEu7iTShyVCjhNxykZ+DlzogT3Q0L8lfKpXljL2v3Ap/OOj
C6R/0UzO3Sb0JQHrWRTJT0rlx3lN34EQjAFUIVzqU1OOlwBeS5km75Q5/rGg5IHo
XzDHPSZyYC/EfAxhMznH2xdM5M8z5Fq/qAO6BkXKl54wliD9QfU5ZOGjrOz09DAt
DBKJyoFntVj3IciKjqZGhasTsyzGph0nJth/TvOVSeHYvW4Or6lVu6Dkeg6gaPtZ
NK2vjbSfp4GmLjxrefqtYwfamFEkvUSTsuo5xfVzhLTmcXnqHHzbePx+qWMLutAF
aBlxovpUN4AJ4ltQP4O5xRJHPC9+G4eM7YfGT1D9imS9hQyGs0kkaOR3/saWs4Yc
Vj5ANi/zG8XkKTy+tq+e9Vcn5xuThopYpbes1HpD7Dnt6drrYovHSWMy6P7913om
WaDU6R6tnBs920NrVfjurQYJ51C5TblqQozawmm6yhJhga7EDofwPu/baEqS9Ey3
GfJJNeZxxG62PAQ/nX3vBPwjWFj/5Fl8fi5V8Fv4SxiEtGfDraiCLBMIK15i5hgI
iHTRVW7QLiel90DVapuknH9BLaNk+ttOZISSCHJsztWWR1po6VecTWivB8hTXWBl
9fV9ox3kR0MMod4=
-----END PKCS7-----

This can be verified using the following command on this branch (with the new code signing cert):

openssl cms -verify -in newkey.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

fanquake
fanquake approved these changes May 27, 2022
View reviewed changes
Copy link
Member

@fanquake fanquake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 7e9fe6d - tested above with OpenSSL 3 & faketime.

@fanquake fanquake merged commit 66bb4df into bitcoin:master May 27, 2022
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 9, 2022
@achow101 @fanquake
windeploy: Renewed windows code signing certificate
bd6d3ac 
Github-Pull: bitcoin#25201
Rebased-From: 7e9fe6d
@fanquake fanquake mentioned this pull request Jun 9, 2022
Merged
@fanquake
Copy link
Member

fanquake commented Jun 9, 2022

Backported to 23.x in #25316.

fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 9, 2022
@achow101 @fanquake
windeploy: Renewed windows code signing certificate
c4aacfb 
Github-Pull: bitcoin#25201
Rebased-From: 7e9fe6d
@fanquake fanquake mentioned this pull request Jun 9, 2022
Merged
@fanquake
Copy link
Member

fanquake commented Jun 9, 2022

Backported to 22.x in #25317.

laanwj added a commit that referenced this pull request Jun 10, 2022
@laanwj
Merge #25317: 22.x Backport new Windows code signing certificate
cfb0eea 
c4aacfb windeploy: Renewed windows code signing certificate (Andrew Chow)

Pull request description:

  Backports:
  - #25201

ACKs for top commit:
  LarryRuane:
    utACK c4aacfb

Tree-SHA512: cce6c85cecf0014e0b123b42e454db2123becf02f4274b1c355f69d8e7b8f77cd12af86adc251da8146b7bd3a55e9f47e3c1ed12f70c5267b3ac3283634526ec
maflcko pushed a commit that referenced this pull request Jul 8, 2022
Merge #25316: 23.x backports
a33ec8a 
4ebf6e3 p2p: always set nTime for self-advertisements (Martin Zumsande)
039ef21 tests: Use descriptor that requires both legacy and segwit (Andrew Chow)
5fd25eb tests: Calculate input weight more accurately (Andrew Chow)
bd6d3ac windeploy: Renewed windows code signing certificate (Andrew Chow)
32fa522 test: ensure createmultisig and addmultisigaddress are not returning any warning for expected cases (brunoerg)
7658055 rpc: fix inappropriate warning for address type p2sh-segwit in createmultisig and addmultisigaddress (brunoerg)

Pull request description:

  Backports:
  - #24454
  - #25201
  - #25220
  - #25314

ACKs for top commit:
  LarryRuane:
    re-utACK 4ebf6e3
  achow101:
    ACK 4ebf6e3

Tree-SHA512: add3999d0330b3442f3894fce38ad9b5adc75da7d681c949e1d052bac5520c2c6fb06eba98bfbeb4aa9a560170451d24bf00d08dddd4a3d080030ecb8ad61882
@bitcoin bitcoin locked and limited conversation to collaborators Jun 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@fanquake fanquake fanquake approved these changes

Assignees

No one assigned

Labels

Scripts and tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@achow101 @laanwj @fanquake @RandyMcMillan @DrahtBot