Release D 2.100.2

[Guillaume Piolat]

On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote:
> What does in a hardware token mean for us? Is it required to 
> have it to hand every time we have to sign a beta, rc, final 
> release binary?  Does it bound us to a specific OS because of 
> locked in proprietary tools?

Unfortunately I don't know.

> In what way would it hamper the ability to sign built binaries 
> on a virtual machine, in a remote server, behind a read-only 
> console UI?

Probably in a big way.

Previously, I would just commit the .pfx//.p12, this will be soon 
impossible (granted, this lower security to commit the cert). 
This won't be possible, perhaps already is.

The Certum "cloud" solution needs a desktop app AND a phone APP 
(Android/iPhone), and is unsuitable for CI.

All this just for Windows code signing.

My prediction is that in a few years Microsoft will stop this 
nightmare and do like Apple and you will just cloud-sign stuff 
with a microsoft.com account. This will be a lot better.


---- THAT SAID ----

Now, codesigning certificates do not preovide automatic warning 
removal. Every Windows program has an Authenticode score, having 
an EV just gets you a high score from the get go, but you still 
have reputation. So the only thing you buy is freedom from the 
warning pop-up and the user gets some safety. An OV gets no 
initial reputation, and the word on the street is that when you 
change cert every 3 years you must regain that reputation.

One could perhaps use a self-signed certificate that will allow 
to reuse that Authenticode reputation, I'm not sure.