digitalmars.D.announce - Release D 2.100.2
- Martin Nowak (6/6) Sep 11 2022 Glad to announce D 2.100.2, ♥ to the 18 contributors.
- Iain Buclaw (5/11) Sep 22 2022 Thanks for your hard work and effort doing this! Not nearly
- JN (4/10) Nov 01 2022 Windows is showing SmartScreen warnings when trying to run the
- Ruby The Roobster (3/18) Nov 01 2022 The next few releases are unsigned as those with the keys cannot
- Iain Buclaw (8/14) Nov 03 2022 Code signing certs have been expired for nearly two years now,
- Guillaume Piolat (19/34) Nov 04 2022 Last time I had to do this:
- Iain Buclaw (11/47) Nov 04 2022 If this can be distributed between a group of people - let's say
- Guillaume Piolat (22/29) Nov 04 2022 Probably in a big way.
- Guillaume Piolat (6/11) Nov 04 2022 Now, to be very clear: there is a chance that even a non-CA
Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -Martin
Sep 11 2022
On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -MartinThanks for your hard work and effort doing this! Not nearly enough praise has been given for you keeping this up for many years. Wish you all the best!
Sep 22 2022
On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -MartinWindows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.
Nov 01 2022
On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -MartinWindows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.
Nov 01 2022
On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote:On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Nov 03 2022
On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote:Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so. On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month. 0. It's less hassle not to do anything, but well we could have a supply-chain attack one day. 1. If cloud/simplysign workflow is OK, Certum may be less hassle. 2. Possibly safer / less problems in build to just get the EV from Sectigo in a hardware token. Especially if you commit the secret in CI. Since November signing will require hardware token or private key in cloud (2FA).On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Nov 04 2022
On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat wrote:On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:If this can be distributed between a group of people - let's say six or more - that might be OK, but not exactly as seamless as, say, just trigger a GitHub runner pipeline an walk away.On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote:Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so.On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month. 0. It's less hassle not to do anything, but well we could have a supply-chain attack one day. 1. If cloud/simplysign workflow is OK, Certum may be less hassle. 2. Possibly safer / less problems in build to just get the EV from Sectigo in a hardware token. Especially if you commit the secret in CI. Since November signing will require hardware token or private key in cloud (2FA).What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI?
Nov 04 2022
On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote:What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools?Unfortunately I don't know.In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI?Probably in a big way. Previously, I would just commit the .pfx//.p12, this will be soon impossible (granted, this lower security to commit the cert). This won't be possible, perhaps already is. The Certum "cloud" solution needs a desktop app AND a phone APP (Android/iPhone), and is unsuitable for CI. All this just for Windows code signing. My prediction is that in a few years Microsoft will stop this nightmare and do like Apple and you will just cloud-sign stuff with a microsoft.com account. This will be a lot better. ---- THAT SAID ---- Now, codesigning certificates do not preovide automatic warning removal. Every Windows program has an Authenticode score, having an EV just gets you a high score from the get go, but you still have reputation. So the only thing you buy is freedom from the warning pop-up and the user gets some safety. An OV gets no initial reputation, and the word on the street is that when you change cert every 3 years you must regain that reputation. One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure.
Nov 04 2022
On Friday, 4 November 2022 at 14:14:43 UTC, Guillaume Piolat wrote:One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure.Now, to be very clear: there is a chance that even a non-CA certificate would accumulate trust, since according to MS:Application reputation for unsigned software is based on fingerprints while publisher reputation is based on signed software associated with a code signing certificate.It's not entirely clear that you absolutely require a real trustedd CA to get that reputation.
Nov 04 2022