• Martin Nowak (6/6) Sep 11 2022 Glad to announce D 2.100.2, ♥ to the 18 contributors.
• Iain Buclaw (5/11) Sep 22 2022 Thanks for your hard work and effort doing this! Not nearly
• JN (4/10) Nov 01 2022 Windows is showing SmartScreen warnings when trying to run the
• Ruby The Roobster (3/18) Nov 01 2022 The next few releases are unsigned as those with the keys cannot
• Iain Buclaw (8/14) Nov 03 2022 Code signing certs have been expired for nearly two years now,
• Guillaume Piolat (19/34) Nov 04 2022 Last time I had to do this:
• Iain Buclaw (11/47) Nov 04 2022 If this can be distributed between a group of people - let's say
• Guillaume Piolat (22/29) Nov 04 2022 Probably in a big way.
• Guillaume Piolat (6/11) Nov 04 2022 Now, to be very clear: there is a chance that even a non-CA

Martin Nowak <code dawg.eu> writes:

Glad to announce D 2.100.2, ♥ to the 18 contributors.

http://dlang.org/download.html

This point release fixes a few issues over 2.100.2, see the 
changelog for more details.

http://dlang.org/changelog/2.100.2.html

-Martin

Iain Buclaw <ibuclaw gdcproject.org> writes:

On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin

Thanks for your hard work and effort doing this!  Not nearly 
enough praise has been given for you keeping this up for many 
years.

Wish you all the best!

JN <666total wp.pl> writes:

On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin

Windows is showing SmartScreen warnings when trying to run the 
Windows installer. Also, the installed version reports as 
v2.100.2-dirty.

Ruby The Roobster <rubytheroobster yandex.com> writes:

On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak 
 wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin

 Windows is showing SmartScreen warnings when trying to run the 
 Windows installer. Also, the installed version reports as 
 v2.100.2-dirty.

The next few releases are unsigned as those with the keys cannot 
be contacted (or, that's from what I've heard.)

Iain Buclaw <ibuclaw gdcproject.org> writes:

On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run the 
 Windows installer. Also, the installed version reports as 
 v2.100.2-dirty.

 The next few releases are unsigned as those with the keys 
 cannot be contacted (or, that's from what I've heard.)

Code signing certs have been expired for nearly two years now, 
and are no longer functional.  It is not yet decided what this 
should be replaced with, granted that buying a cert now is both 
eye-wateringly more expensive compared to 2016, and appears to 
force you to have some form of 2FA - be it hardware token or 
cloud signing platform.

Guillaume Piolat <first.last spam.org> writes:

On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
 On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
 wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run 
 the Windows installer. Also, the installed version reports as 
 v2.100.2-dirty.

 The next few releases are unsigned as those with the keys 
 cannot be contacted (or, that's from what I've heard.)

 Code signing certs have been expired for nearly two years now, 
 and are no longer functional.  It is not yet decided what this 
 should be replaced with, granted that buying a cert now is both 
 eye-wateringly more expensive compared to 2016, and appears to 
 force you to have some form of 2FA - be it hardware token or 
 cloud signing platform.

Last time I had to do this:

Basically you have Certum.pl which provides cloud-signing, this 
company responds quickly, getting a individual OV certificate 
takes about 2-3 days.
"cloud" signing with needs a phone token, a phone app SimplySign, 
that last 15 minutes or so.

On the other hand, .p12/.pfx vendors are almost entirely 
COMODO/Sectigo now, it works offline, getting a certificate is 
more painful with them and will require a hardware token even for 
OV beginning this month.

0. It's less hassle not to do anything, but well we could have a 
supply-chain attack one day.
1. If cloud/simplysign workflow is OK, Certum may be less hassle.
2. Possibly safer / less problems in build to just get the EV 
from Sectigo in a hardware token. Especially if you commit the 
secret in CI.

Since November signing will require hardware token or private key 
in cloud (2FA).

Iain Buclaw <ibuclaw gdcproject.org> writes:

On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat 
wrote:
 On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
 On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
 wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run 
 the Windows installer. Also, the installed version reports 
 as v2.100.2-dirty.

 The next few releases are unsigned as those with the keys 
 cannot be contacted (or, that's from what I've heard.)

 Code signing certs have been expired for nearly two years now, 
 and are no longer functional.  It is not yet decided what this 
 should be replaced with, granted that buying a cert now is 
 both eye-wateringly more expensive compared to 2016, and 
 appears to force you to have some form of 2FA - be it hardware 
 token or cloud signing platform.

 Last time I had to do this:

 Basically you have Certum.pl which provides cloud-signing, this 
 company responds quickly, getting a individual OV certificate 
 takes about 2-3 days.
 "cloud" signing with needs a phone token, a phone app 
 SimplySign, that last 15 minutes or so.

If this can be distributed between a group of people - let's say 
six or more - that might be OK, but not exactly as seamless as, 
say, just trigger a GitHub runner pipeline an walk away.

 On the other hand, .p12/.pfx vendors are almost entirely 
 COMODO/Sectigo now, it works offline, getting a certificate is 
 more painful with them and will require a hardware token even 
 for OV beginning this month.

 0. It's less hassle not to do anything, but well we could have 
 a supply-chain attack one day.
 1. If cloud/simplysign workflow is OK, Certum may be less 
 hassle.
 2. Possibly safer / less problems in build to just get the EV 
 from Sectigo in a hardware token. Especially if you commit the 
 secret in CI.

 Since November signing will require hardware token or private 
 key in cloud (2FA).

What does in a hardware token mean for us? Is it required to have 
it to hand every time we have to sign a beta, rc, final release 
binary?  Does it bound us to a specific OS because of locked in 
proprietary tools?  In what way would it hamper the ability to 
sign built binaries on a virtual machine, in a remote server, 
behind a read-only console UI?

Guillaume Piolat <first.last spam.org> writes:

On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote:
 What does in a hardware token mean for us? Is it required to 
 have it to hand every time we have to sign a beta, rc, final 
 release binary?  Does it bound us to a specific OS because of 
 locked in proprietary tools?

Unfortunately I don't know.

 In what way would it hamper the ability to sign built binaries 
 on a virtual machine, in a remote server, behind a read-only 
 console UI?

Probably in a big way.

Previously, I would just commit the .pfx//.p12, this will be soon 
impossible (granted, this lower security to commit the cert). 
This won't be possible, perhaps already is.

The Certum "cloud" solution needs a desktop app AND a phone APP 
(Android/iPhone), and is unsuitable for CI.

All this just for Windows code signing.

My prediction is that in a few years Microsoft will stop this 
nightmare and do like Apple and you will just cloud-sign stuff 
with a microsoft.com account. This will be a lot better.


---- THAT SAID ----

Now, codesigning certificates do not preovide automatic warning 
removal. Every Windows program has an Authenticode score, having 
an EV just gets you a high score from the get go, but you still 
have reputation. So the only thing you buy is freedom from the 
warning pop-up and the user gets some safety. An OV gets no 
initial reputation, and the word on the street is that when you 
change cert every 3 years you must regain that reputation.

One could perhaps use a self-signed certificate that will allow 
to reuse that Authenticode reputation, I'm not sure.

Guillaume Piolat <first.last spam.org> writes:

On Friday, 4 November 2022 at 14:14:43 UTC, Guillaume Piolat 
wrote:
 One could perhaps use a self-signed certificate that will allow 
 to reuse that Authenticode reputation, I'm not sure.


Now, to be very clear: there is a chance that even a non-CA 
certificate would accumulate trust, since according to MS:

 Application reputation for unsigned software is based on 
 fingerprints while publisher reputation is based on signed 
 software associated with a code signing certificate.

It's not entirely clear that you absolutely require a real 
trustedd CA to get that reputation.