Release D 2.100.2

Iain Buclaw ibuclaw at gdcproject.org
Fri Nov 4 13:01:09 UTC 2022 

On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat 
wrote:
> On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
>> On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
>> wrote:
>>> On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
>>>> Windows is showing SmartScreen warnings when trying to run 
>>>> the Windows installer. Also, the installed version reports 
>>>> as v2.100.2-dirty.
>>>
>>> The next few releases are unsigned as those with the keys 
>>> cannot be contacted (or, that's from what I've heard.)
>>
>> Code signing certs have been expired for nearly two years now, 
>> and are no longer functional.  It is not yet decided what this 
>> should be replaced with, granted that buying a cert now is 
>> both eye-wateringly more expensive compared to 2016, and 
>> appears to force you to have some form of 2FA - be it hardware 
>> token or cloud signing platform.
>
> Last time I had to do this:
>
> Basically you have Certum.pl which provides cloud-signing, this 
> company responds quickly, getting a individual OV certificate 
> takes about 2-3 days.
> "cloud" signing with needs a phone token, a phone app 
> SimplySign, that last 15 minutes or so.
>

If this can be distributed between a group of people - let's say 
six or more - that might be OK, but not exactly as seamless as, 
say, just trigger a GitHub runner pipeline an walk away.

> On the other hand, .p12/.pfx vendors are almost entirely 
> COMODO/Sectigo now, it works offline, getting a certificate is 
> more painful with them and will require a hardware token even 
> for OV beginning this month.
>
> 0. It's less hassle not to do anything, but well we could have 
> a supply-chain attack one day.
> 1. If cloud/simplysign workflow is OK, Certum may be less 
> hassle.
> 2. Possibly safer / less problems in build to just get the EV 
> from Sectigo in a hardware token. Especially if you commit the 
> secret in CI.
>
> Since November signing will require hardware token or private 
> key in cloud (2FA).

What does in a hardware token mean for us? Is it required to have 
it to hand every time we have to sign a beta, rc, final release 
binary?  Does it bound us to a specific OS because of locked in 
proprietary tools?  In what way would it hamper the ability to 
sign built binaries on a virtual machine, in a remote server, 
behind a read-only console UI?

More information about the Digitalmars-d-announce mailing list