Skip to content

Update Windows signing certificate SHA hash in Makefile #4946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chrisd8088 merged 1 commit into from
Apr 19, 2022
Merged

Update Windows signing certificate SHA hash in Makefile #4946

chrisd8088 merged 1 commit into from
Apr 19, 2022

Conversation

@chrisd8088
Copy link
Member

@chrisd8088 chrisd8088 commented Apr 15, 2022

The Git LFS signing certificate for Windows binaries has changed, so we update the default signing certificate SHA-1 hash in the Makefile.

(The last update was in 2019 in PR #3623.)

@chrisd8088 chrisd8088 requested a review from a team as a code owner April 15, 2022 22:31
@znull
Copy link

znull commented Apr 16, 2022

Judging from 3b7c60f and 5cb868b, we could just drop support for this instead? Referencing a cert by sha1 seems to be a holdover from when a custom VM was used to build release packages, and I'm getting the feeling that's not something needed anymore.

@chrisd8088
Copy link
Member Author

chrisd8088 commented Apr 16, 2022

That's entirely possible; there's definitely a chance we don't need this.

bk2204
bk2204 approved these changes Apr 19, 2022
View reviewed changes
Copy link
Member

@bk2204 bk2204 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is possible we don't need this, but since the alternative is that our release fails and I'd like for at least our next release to be rather boring considering the problems we had last time, let's go ahead with this. We can investigate further with our test repo and see if it's not needed in the future, and if so, remove it.

Also, I'm sure you already thought of this, but since I didn't see the cert myself, this is specifically the certificate fingerprint, and not a hash of the PKCS#12 file, so you'd need to query OpenSSL for this directly if you didn't.

@bk2204
Copy link
Member

bk2204 commented Apr 19, 2022
edited
Loading

Actually, OpenSSL says the certificate SHA-1 should be 27:EA:8F:81:CE:92:0B:CC:D2:17:4E:3B:27:2F:2B:A2:47:60:5B:E6 (obviously, in the Makefile, without the colons and in lowercase).

The thing I did here is this:

$ openssl pkcs12 -info -in codesign.pfx -out $TMPDIR/foo.pem -provider default -provider legacy -nokeys
$ openssl x509 -text -in $TMPDIR/foo.pem -fingerprint

I think the hash you provided is that of the PKCS#12 file, which I don't think is what Windows wants here.

@chrisd8088
Makefile: update Windows signing certificate hash
16eec17 
The Git LFS signing certificate for Windows binaries has changed, so
we update the default signing certificate SHA-1 hash in the Makefile.

(The last update was in 2019 in PR git-lfs#3623.)

The commands used to generate this hash were:

openssl pkcs12 -info -in codesign.pfx -out foo.pem
openssl x509 -text -in foo.pem -fingerprint | \
  grep Fingerprint | sed 's/^SHA1 Fingerprint=//' | \
  sed 's/://g' | tr [:upper:] [:lower:]

h/t kb2204 for the info on the fingerprint
@chrisd8088 chrisd8088 force-pushed the update-windows-cert-sha branch from 7187bd3 to 16eec17 Compare April 19, 2022 15:17
@chrisd8088
Copy link
Member Author

chrisd8088 commented Apr 19, 2022

Thanks for the correction, @bk2204 -- I think I've updated this again now with the expected hash of the fingerprint.

@chrisd8088 chrisd8088 merged commit db455a8 into git-lfs:main Apr 19, 2022
@chrisd8088 chrisd8088 deleted the update-windows-cert-sha branch April 19, 2022 16:38
chrisd8088 added a commit to chrisd8088/git-lfs that referenced this pull request Mar 1, 2023
@chrisd8088
Makefile: update Windows signing certificate hash
1f3bb87 
The Git LFS signing certificate for Windows binaries has changed, so
we update the default signing certificate SHA-1 hash in the Makefile.

(The last update was in commit 16eec17
of PR git-lfs#4946 in 2022.)

The commands used to generate this hash were:

openssl pkcs12 -info -in codesign.pfx -out codesign.pem
openssl x509 -text -in codesign.pem -fingerprint | \
  grep Fingerprint | sed 's/^SHA1 Fingerprint=//' | \
  sed 's/://g' | tr [:upper:] [:lower:]
@chrisd8088 chrisd8088 mentioned this pull request Mar 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bk2204 bk2204 bk2204 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisd8088 @znull @bk2204