Release D 2.100.2
Guillaume Piolat
first.last at spam.org
Fri Nov 4 12:39:04 UTC 2022
On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
> On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster
> wrote:
>> On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
>>> Windows is showing SmartScreen warnings when trying to run
>>> the Windows installer. Also, the installed version reports as
>>> v2.100.2-dirty.
>>
>> The next few releases are unsigned as those with the keys
>> cannot be contacted (or, that's from what I've heard.)
>
> Code signing certs have been expired for nearly two years now,
> and are no longer functional. It is not yet decided what this
> should be replaced with, granted that buying a cert now is both
> eye-wateringly more expensive compared to 2016, and appears to
> force you to have some form of 2FA - be it hardware token or
> cloud signing platform.
Last time I had to do this:
Basically you have Certum.pl which provides cloud-signing, this
company responds quickly, getting a individual OV certificate
takes about 2-3 days.
"cloud" signing with needs a phone token, a phone app SimplySign,
that last 15 minutes or so.
On the other hand, .p12/.pfx vendors are almost entirely
COMODO/Sectigo now, it works offline, getting a certificate is
more painful with them and will require a hardware token even for
OV beginning this month.
0. It's less hassle not to do anything, but well we could have a
supply-chain attack one day.
1. If cloud/simplysign workflow is OK, Certum may be less hassle.
2. Possibly safer / less problems in build to just get the EV
from Sectigo in a hardware token. Especially if you commit the
secret in CI.
Since November signing will require hardware token or private key
in cloud (2FA).
More information about the Digitalmars-d-announce
mailing list