Skip to content

windeploy: Renewed windows code signing certificate#25201

Merged
fanquake merged 1 commit intobitcoin:masterfrom
achow101:2022-05-win-cert
May 27, 2022
Merged

windeploy: Renewed windows code signing certificate#25201
fanquake merged 1 commit intobitcoin:masterfrom
achow101:2022-05-win-cert

Conversation

@achow101
Copy link
Member

@achow101 achow101 commented May 24, 2022

The current windows code signing certificate expires on May 26 23:59:59 2022 GMT. I have purchased a new code signing certificate which will expire on May 29 23:59:59 2024 GMT.

@laanwj
Copy link
Member

laanwj commented May 24, 2022

Concept ACK, thanks for updating the cert.

@laanwj
Copy link
Member

laanwj commented May 26, 2022

This is the data inside the certificates file, dumped with:

$ csplit contrib/windeploy/win-codesign.cert '/-----BEGIN CERTIFICATE-----/' '{*}'
$ openssl x509 -in xx01 -text 
$ openssl x509 -in xx02 -text 
$ openssl x509 -in xx03 -text 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Validity
            Not Before: May 24 00:00:00 2022 GMT
            Not After : May 29 23:59:59 2024 GMT
        Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:b0:c5:f8:f3:b6:e4:53:0c:d0:06:7f:bc:e4:
                    aa:a5:8d:12:dd:bc:09:99:95:24:7a:18:96:d5:51:
                    c6:d1:35:04:fe:39:05:f9:a9:b4:7e:5e:33:52:42:
                    fd:7a:2c:4c:fc:ad:1d:11:5e:3a:43:b8:61:50:2d:
                    88:42:f1:2b:d4:bf:f3:63:99:94:a0:3b:33:1e:cf:
                    5b:ab:ef:d7:5f:38:bb:cf:a6:3f:75:a9:4c:df:ca:
                    01:94:da:5b:d7:c1:d0:42:d3:48:2b:aa:b2:f5:ea:
                    d9:ca:cc:d9:3e:cd:b9:d2:67:4b:25:a1:d9:50:63:
                    2d:f3:cf:08:07:18:c3:3c:86:29:06:e5:8d:05:a3:
                    14:42:43:25:61:4a:f3:7b:7d:98:af:ef:d1:64:20:
                    03:78:c6:25:e6:b3:f9:5e:82:61:73:12:ed:48:29:
                    74:6f:1d:52:18:3d:a3:ad:e0:60:96:40:5b:9a:58:
                    44:8b:0d:45:c2:42:33:92:c7:87:01:0c:5b:9d:f6:
                    f5:4b:13:99:80:9f:3f:bf:f9:dd:e9:9e:a5:b4:34:
                    9f:c8:a3:55:98:e0:68:9f:8b:67:c3:6c:a4:12:d2:
                    78:28:85:f5:43:c2:29:7f:36:b9:68:90:01:44:db:
                    60:70:9f:4a:2d:c8:d1:fd:f0:42:27:57:2f:d6:58:
                    f8:f5:e6:6a:53:3b:04:cb:90:f9:cd:b1:11:c9:7d:
                    ec:29:e1:ac:3c:f1:10:1c:19:be:f3:82:f7:01:a8:
                    1b:ef:3e:7a:95:78:4e:35:19:59:ff:bb:40:dd:59:
                    61:e8:35:ad:a8:bb:73:b7:3c:bb:d2:0b:a2:01:3c:
                    b2:ed:b1:56:8c:f7:df:74:c7:08:3b:d2:70:88:27:
                    41:79:a4:f9:c6:ca:30:1b:60:f6:43:34:17:e6:8b:
                    5a:c3:76:c5:57:f4:b8:08:f7:53:bb:1d:5c:ba:df:
                    25:e5:b4:0d:92:24:b5:6b:53:05:0c:d7:3b:f3:84:
                    e0:a6:be:d5:61:67:0e:0d:07:24:88:a1:d1:c4:e3:
                    97:d6:18:bd:f7:b9:dc:be:29:08:6c:be:a8:6b:7f:
                    5c:60:51:a8:23:1f:5e:9d:e0:f8:7f:45:19:1e:6b:
                    a5:e9:ec:55:57:2c:ae:fd:c6:6d:37:d8:76:5a:5d:
                    9a:9f:4e:1c:7e:46:e7:b1:93:01:9b:9e:a1:b0:99:
                    83:ba:fb:44:a2:b4:cc:f5:3d:12:24:cb:27:1c:f2:
                    5e:e6:a2:bf:f2:ac:77:c7:88:84:74:63:7b:03:1a:
                    42:e0:2d:40:cd:6d:3b:ea:0a:01:b2:c5:d2:fd:8c:
                    ee:fe:ff:69:54:fb:e9:7d:f6:26:59:58:02:2c:e6:
                    df:38:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
            X509v3 Subject Key Identifier: 
                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.4.1
                  CPS: http://www.digicert.com/CPS
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        18:69:4d:9b:9f:47:0b:35:be:bb:48:d3:10:75:fd:45:ab:48:
        42:71:74:f1:e2:bd:fa:57:13:bd:3c:77:3b:a6:26:1d:d3:17:
        3a:6c:11:40:90:5f:90:49:25:eb:75:97:bc:7d:da:c2:8d:78:
        02:fb:be:8b:40:fb:c3:bc:62:f3:03:eb:82:a2:9b:b5:4a:03:
        60:41:f0:03:87:29:06:e9:af:57:36:89:90:70:c2:87:c8:9e:
        f8:91:62:fb:2b:bd:0b:5a:e8:a0:72:d8:a3:9e:d4:bf:e5:d0:
        a9:e9:51:ac:cb:f5:3b:f8:54:ab:ee:58:0c:3f:41:cd:3f:79:
        34:2b:35:94:6c:98:00:ce:47:19:d9:d6:a5:be:4a:91:7e:fd:
        66:da:cc:86:23:a1:df:ce:a9:bd:54:de:89:fe:3f:3c:a2:18:
        3d:d2:8f:33:61:b1:d1:51:a6:da:b3:ac:86:98:51:55:7e:d9:
        71:c6:e1:f3:7a:03:cc:24:c9:02:f9:34:85:57:1a:22:bb:ae:
        a4:b9:56:b4:40:bf:9f:0b:7f:56:59:4e:08:5d:00:bf:b9:4b:
        24:84:d0:eb:11:f6:dd:0a:5b:bd:d9:07:da:71:6e:e6:59:e9:
        97:f1:8e:8b:63:c3:e2:22:94:21:26:dc:00:db:73:b1:1b:da:
        28:c8:e3:1f:26:8b:1d:17:58:c5:2b:84:bd:f8:b3:bf:e3:47:
        20:e2:3f:ed:f4:69:28:23:5a:9e:b5:d6:da:7f:11:84:56:e6:
        4a:48:68:54:7c:01:eb:03:74:cd:03:49:20:82:45:73:8c:c1:
        01:b6:4e:ad:be:0a:7a:88:b4:1e:68:2c:d3:e9:d9:7c:92:c2:
        52:16:be:68:db:ce:c4:44:7c:8a:44:df:28:77:6f:19:87:63:
        eb:c5:21:cd:91:d2:73:64:6d:63:48:4f:a0:06:b5:a1:10:ee:
        85:a4:82:92:bc:60:c9:00:40:27:f8:11:40:b8:41:ae:ea:1e:
        21:fa:61:29:98:26:18:c0:a4:12:c2:ed:40:f0:7a:f8:30:c6:
        e0:eb:c2:29:96:02:3f:ad:0e:4c:dd:9c:43:4c:70:1a:78:48:
        0c:ba:2f:05:2e:0e:2d:88:53:a1:d1:49:75:9d:87:66:04:90:
        36:dc:dc:57:70:92:79:e7:11:66:81:e1:d9:51:2f:ce:58:8c:
        7c:8b:5c:dd:0a:88:4e:d2:29:38:f5:2d:f4:78:74:67:83:a9:
        55:25:0e:3f:43:e7:e5:f8:6b:b1:7c:f7:02:cf:fe:e9:b8:d3:
        fe:76:1d:44:2f:e6:de:56:70:da:ff:e3:ba:fd:69:59:31:f4:
        31:ec:d5:bf:28:52:72:e0

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Validity
            Not Before: Apr 29 00:00:00 2021 GMT
            Not After : Apr 28 23:59:59 2036 GMT
        Subject: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d5:b4:2f:42:d0:28:ad:78:b7:5d:d5:39:59:1b:
                    b1:88:42:f5:33:8c:eb:3d:81:97:70:c5:bb:c4:85:
                    26:30:9f:a4:8e:68:d8:5c:f5:eb:34:24:07:e1:4b:
                    4f:d3:78:43:f4:17:d7:1e:da:f9:d2:d5:67:1a:52:
                    4f:0e:a1:57:fc:88:99:c1:91:cc:81:03:3e:4d:70:
                    24:64:b3:8d:e2:08:7d:34:7d:4c:80:57:12:6b:43:
                    9a:99:f2:c5:3b:1f:f2:ef:cb:47:5a:13:a6:4c:b3:
                    01:20:25:f3:10:d3:8b:b2:fb:08:f0:8a:e0:9d:09:
                    c0:65:a7:fa:98:80:49:35:87:3d:51:19:e8:90:21:
                    78:45:2e:a1:9f:2c:e1:18:c2:1a:cc:c5:ee:93:49:
                    70:42:32:8f:fb:c6:ea:1c:f3:65:68:91:a2:4d:4c:
                    82:11:48:52:68:de:10:bd:14:57:5d:e8:18:13:65:
                    c5:7f:b2:4f:85:2c:48:a4:56:84:35:d6:f9:2e:9c:
                    aa:00:15:d1:37:fe:1a:06:94:c2:7c:c8:ea:1b:32:
                    e6:ca:c2:f4:a7:a3:03:0e:74:a5:af:39:b6:ab:60:
                    12:e3:e8:d6:b9:f7:31:e1:dc:ad:e4:18:a0:d8:c1:
                    23:47:47:b3:a1:0f:6e:a3:ab:6d:98:06:83:1b:b7:
                    6a:67:2d:d2:bd:44:1a:92:10:81:8f:b0:3b:09:d7:
                    c7:9b:32:5a:c2:ff:6a:60:54:8b:49:c1:93:ed:e1:
                    b4:5c:e0:6f:eb:26:f9:8c:d5:b2:f9:38:10:e6:ea:
                    ce:91:f5:be:d3:fb:6f:93:61:34:5c:bc:93:45:28:
                    83:36:2a:66:28:5f:b0:73:ce:8b:26:25:06:b2:83:
                    d4:5c:f6:15:19:4c:ed:62:e0:5e:33:f2:e8:e8:ec:
                    0a:a7:b0:03:2b:91:b2:36:79:be:f7:ad:08:1e:75:
                    a6:65:cc:bb:e3:48:50:f3:77:91:1a:fe:db:50:a2:
                    46:c8:61:58:98:f5:7c:02:16:3c:83:28:ad:39:86:
                    ec:d4:b7:0d:53:d0:f8:47:e6:75:30:8d:ec:30:93:
                    76:14:a6:5b:4b:5d:74:61:4d:3f:12:91:76:de:bf:
                    58:cb:72:10:29:41:f0:d5:c5:6d:26:76:68:11:41:
                    13:58:9a:dc:26:2b:01:f4:89:4d:59:db:78:cf:81:
                    4a:3e:40:47:5f:c9:81:50:73:85:10:23:21:59:60:
                    8a:64:54:c1:cc:21:1a:e8:38:19:7c:66:1c:cd:78:
                    38:45:30:99:4f:ff:63:4f:4c:bb:aa:0d:08:53:41:
                    7c:58:3d:47:b3:fa:b6:ec:8c:32:09:02:cc:6c:3c:
                    0c:56:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
            X509v3 Authority Key Identifier: 
                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                Code Signing
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTrustedRootG4.crl
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.3
                Policy: 2.23.140.1.4.1
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        3a:23:44:3d:8d:08:76:ee:8f:bc:3a:99:d3:56:e0:02:1a:a5:
        f8:48:34:f3:2c:b6:e6:74:66:f7:94:72:b1:00:ca:af:6c:30:
        27:13:12:9e:90:44:9f:4b:fd:9e:a3:7c:26:d5:37:bc:3a:5d:
        48:6d:95:d5:3f:49:f4:27:bb:16:81:45:50:fd:9c:bd:b6:85:
        e0:76:7e:37:71:cb:22:f7:5a:aa:90:cf:f5:93:6a:e3:eb:20:
        d1:d5:50:79:88:9a:8a:8a:c1:b6:bd:a1:48:18:7e:dc:d8:80:
        1a:11:19:18:cd:61:99:81:56:f6:c9:e3:76:e7:c4:e4:1b:5f:
        43:f8:3e:94:ff:76:39:3d:9e:d4:99:cf:4a:dd:28:eb:5f:26:
        a1:95:58:48:d5:1a:fe:d7:27:3f:fd:90:d1:76:86:dd:1c:b0:
        60:5c:f3:0d:a8:ee:e0:89:a1:bd:39:e1:38:4e:da:6e:bb:36:
        9d:fb:e5:21:53:5a:c3:ca:e9:6a:f1:a2:3e:db:43:b8:33:c8:
        4f:38:14:92:99:f5:dd:ce:54:6d:d9:5d:02:14:1f:40:33:7c:
        03:e2:95:b2:c2:21:75:73:52:cb:46:d8:c4:34:1c:a2:a5:4b:
        8d:cd:6f:76:37:2c:85:3f:1a:ce:26:e9:18:be:90:07:b0:43:
        7f:95:88:20:82:70:f0:cc:ca:ef:fd:29:35:5c:1f:89:38:55:
        f7:37:8a:8b:09:a1:cb:0b:e9:31:1a:ff:2e:19:5c:39:71:e1:
        be:9c:a7:0a:06:d6:26:67:b7:92:e6:4e:5f:de:7a:ac:49:cf:
        2e:a4:74:92:ad:db:3c:a4:9c:86:1f:e3:c1:56:1b:2b:23:ff:
        8f:b5:ea:88:7b:70:6b:e6:a0:ba:fd:3a:3f:45:a6:c4:e8:16:
        91:52:8b:41:c0:48:84:4b:96:4d:ab:44:40:e3:8d:f0:15:28:
        ce:ed:f1:18:56:07:2a:2f:10:c4:0c:08:64:3c:33:8f:ae:28:
        8c:3c:cb:8f:88:0b:0d:bf:3b:f4:ce:1e:7b:8e:ef:b5:eb:cb:
        b7:f0:77:13:e6:e7:28:3f:ac:12:ae:a5:2f:22:6c:41:f9:82:
        5c:15:66:cc:6c:0e:ca:c5:86:c3:f6:26:33:0c:07:4b:a0:d3:
        07:02:6a:6a:40:30:48:4b:34:a8:51:20:bb:ad:1b:85:08:e2:
        59:0d:6d:ca:05:50:2b:ea:4a:1c:9e:a5:fd:a0:a7:1f:06:74:
        e7:f2:d6:52:90:fd:af:85:48:21:f9:57:3b:b4:9c:03:ed:86:
        45:f4:b4:61:6e:bf:68:e2:26:60:86:ea:c8:af:a9:fe:94:1d:
        e7:63:1b:3a:86:56:78:4e

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Validity
            Not Before: Aug  1 12:00:00 2013 GMT
            Not After : Jan 15 12:00:00 2038 GMT
        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bf:e6:90:73:68:de:bb:e4:5d:4a:3c:30:22:30:
                    69:33:ec:c2:a7:25:2e:c9:21:3d:f2:8a:d8:59:c2:
                    e1:29:a7:3d:58:ab:76:9a:cd:ae:7b:1b:84:0d:c4:
                    30:1f:f3:1b:a4:38:16:eb:56:c6:97:6d:1d:ab:b2:
                    79:f2:ca:11:d2:e4:5f:d6:05:3c:52:0f:52:1f:c6:
                    9e:15:a5:7e:be:9f:a9:57:16:59:55:72:af:68:93:
                    70:c2:b2:ba:75:99:6a:73:32:94:d1:10:44:10:2e:
                    df:82:f3:07:84:e6:74:3b:6d:71:e2:2d:0c:1b:ee:
                    20:d5:c9:20:1d:63:29:2d:ce:ec:5e:4e:c8:93:f8:
                    21:61:9b:34:eb:05:c6:5e:ec:5b:1a:bc:eb:c9:cf:
                    cd:ac:34:40:5f:b1:7a:66:ee:77:c8:48:a8:66:57:
                    57:9f:54:58:8e:0c:2b:b7:4f:a7:30:d9:56:ee:ca:
                    7b:5d:e3:ad:c9:4f:5e:e5:35:e7:31:cb:da:93:5e:
                    dc:8e:8f:80:da:b6:91:98:40:90:79:c3:78:c7:b6:
                    b1:c4:b5:6a:18:38:03:10:8d:d8:d4:37:a4:2e:05:
                    7d:88:f5:82:3e:10:91:70:ab:55:82:41:32:d7:db:
                    04:73:2a:6e:91:01:7c:21:4c:d4:bc:ae:1b:03:75:
                    5d:78:66:d9:3a:31:44:9a:33:40:bf:08:d7:5a:49:
                    a4:c2:e6:a9:a0:67:dd:a4:27:bc:a1:4f:39:b5:11:
                    58:17:f7:24:5c:46:8f:64:f7:c1:69:88:76:98:76:
                    3d:59:5d:42:76:87:89:97:69:7a:48:f0:e0:a2:12:
                    1b:66:9a:74:ca:de:4b:1e:e7:0e:63:ae:e6:d4:ef:
                    92:92:3a:9e:3d:dc:00:e4:45:25:89:b6:9a:44:19:
                    2b:7e:c0:94:b4:d2:61:6d:eb:33:d9:c5:df:4b:04:
                    00:cc:7d:1c:95:c3:8f:f7:21:b2:b2:11:b7:bb:7f:
                    f2:d5:8c:70:2c:41:60:aa:b1:63:18:44:95:1a:76:
                    62:7e:f6:80:b0:fb:e8:64:a6:33:d1:89:07:e1:bd:
                    b7:e6:43:a4:18:b8:a6:77:01:e1:0f:94:0c:21:1d:
                    b2:54:29:25:89:6c:e5:0e:52:51:47:74:be:26:ac:
                    b6:41:75:de:7a:ac:5f:8d:3f:c9:bc:d3:41:11:12:
                    5b:e5:10:50:eb:31:c5:ca:72:16:22:09:df:7c:4c:
                    75:3f:63:ec:21:5f:c4:20:51:6b:6f:b1:ab:86:8b:
                    4f:c2:d6:45:5f:9d:20:fc:a1:1e:c5:c0:8f:a2:b1:
                    7e:0a:26:99:f5:e4:69:2f:98:1d:2d:f5:d9:a9:b2:
                    1d:e5:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
    Signature Algorithm: sha384WithRSAEncryption
    Signature Value:
        bb:61:d9:7d:a9:6c:be:17:c4:91:1b:c3:a1:a2:00:8d:e3:64:
        68:0f:56:cf:77:ae:70:f9:fd:9a:4a:99:b9:c9:78:5c:0c:0c:
        5f:e4:e6:14:29:56:0b:36:49:5d:44:63:e0:ad:9c:96:18:66:
        1b:23:0d:3d:79:e9:6d:6b:d6:54:f8:d2:3c:c1:43:40:ae:1d:
        50:f5:52:fc:90:3b:bb:98:99:69:6b:c7:c1:a7:a8:68:a4:27:
        dc:9d:f9:27:ae:30:85:b9:f6:67:4d:3a:3e:8f:59:39:22:53:
        44:eb:c8:5d:03:ca:ed:50:7a:7d:62:21:0a:80:c8:73:66:d1:
        a0:05:60:5f:e8:a5:b4:a7:af:a8:f7:6d:35:9c:7c:5a:8a:d6:
        a2:38:99:f3:78:8b:f4:4d:d2:20:0b:de:04:ee:8c:9b:47:81:
        72:0d:c0:14:32:ef:30:59:2e:ae:e0:71:f2:56:e4:6a:97:6f:
        92:50:6d:96:8d:68:7a:9a:b2:36:14:7a:06:f2:24:b9:09:11:
        50:d7:08:b1:b8:89:7a:84:23:61:42:29:e5:a3:cd:a2:20:41:
        d7:d1:9c:64:d9:ea:26:a1:8b:14:d7:4c:19:b2:50:41:71:3d:
        3f:4d:70:23:86:0c:4a:dc:81:d2:cc:32:94:84:0d:08:09:97:
        1c:4f:c0:ee:6b:20:74:30:d2:e0:39:34:10:85:21:15:01:08:
        e8:55:32:de:71:49:d9:28:17:50:4d:e6:be:4d:d1:75:ac:d0:
        ca:fb:41:b8:43:a5:aa:d3:c3:05:44:4f:2c:36:9b:e2:fa:e2:
        45:b8:23:53:6c:06:6f:67:55:7f:46:b5:4c:3f:6e:28:5a:79:
        26:d2:a4:a8:62:97:d2:1e:e2:ed:4a:8b:bc:1b:fd:47:4a:0d:
        df:67:66:7e:b2:5b:41:d0:3b:e4:f4:3b:f4:04:63:e9:ef:c2:
        54:00:51:a0:8a:2a:c9:ce:78:cc:d5:ea:87:04:18:b3:ce:af:
        49:88:af:f3:92:99:b6:b3:e6:61:0f:d2:85:00:e7:50:1a:e4:
        1b:95:9d:19:a1:b9:9c:b1:9b:b1:00:1e:ef:d0:0f:4f:42:6c:
        c9:0a:bc:ee:43:fa:3a:71:a5:c8:4d:26:a5:35:fd:89:5d:bc:
        85:62:1d:32:d2:a0:2b:54:ed:9a:57:c1:db:fa:10:cf:19:b7:
        8b:4a:1b:8f:01:b6:27:95:53:e8:b6:89:6d:5b:bc:68:d4:23:
        e8:8b:51:a2:56:f9:f0:a6:80:a0:d6:1e:b3:bc:0f:0f:53:75:
        29:aa:ea:13:77:e4:de:8c:81:21:ad:07:10:47:11:ad:87:3d:
        07:d1:75:bc:cf:f3:66:7e

@laanwj
Copy link
Member

laanwj commented May 26, 2022

Metadata-only diff of our cert only, before and after this PR:

--- a/01.txt	2022-05-26 15:47:38.796449649 +0200
+++ b/01.txt	2022-05-26 15:48:07.652166313 +0200
@@ -2,12 +2,12 @@
     Data:
         Version: 3 (0x2)
         Serial Number:
-            05:23:7b:0a:6d:7a:67:45:13:f6:9e:e5:03:68:e2:28
+            0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
         Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
+        Issuer: C = US, O = "DigiCert, Inc.", CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
         Validity
-            Not Before: May 21 00:00:00 2021 GMT
-            Not After : May 26 23:59:59 2022 GMT
+            Not Before: May 24 00:00:00 2022 GMT
+            Not After : May 29 23:59:59 2024 GMT
         Subject: C = US, ST = Delaware, L = Lewes, O = Bitcoin Core Code Signing LLC, CN = Bitcoin Core Code Signing LLC
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
@@ -16,25 +16,24 @@
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Authority Key Identifier: 
-                5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58
+                68:37:E0:EB:B6:3B:F8:5F:11:86:FB:FE:61:7B:08:88:65:F4:4E:42
             X509v3 Subject Key Identifier: 
-                55:22:ED:66:78:9F:10:7B:DD:F3:3D:C4:EC:0C:8B:60:DB:83:89:A3
+                BC:2A:54:E7:C3:C8:BA:87:EF:D2:41:C9:DD:3C:B4:60:32:84:CB:77
             X509v3 Key Usage: critical
                 Digital Signature
             X509v3 Extended Key Usage: 
                 Code Signing
             X509v3 CRL Distribution Points: 
                 Full Name:
-                  URI:http://crl3.digicert.com/sha2-assured-cs-g1.crl
+                  URI:http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                 Full Name:
-                  URI:http://crl4.digicert.com/sha2-assured-cs-g1.crl
+                  URI:http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
             X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114412.3.1
-                  CPS: http://www.digicert.com/CPS
                 Policy: 2.23.140.1.4.1
+                  CPS: http://www.digicert.com/CPS
             Authority Information Access: 
                 OCSP - URI:http://ocsp.digicert.com
-                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
             X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: sha256WithRSAEncryption

@laanwj
Copy link
Member

laanwj commented May 26, 2022

ACK 7e9fe6d

I have checked the changes made here in as far as I could and they look correct to me, and to form a correct certificate chain.

@achow101
Copy link
Member Author

achow101 commented May 26, 2022

I have signed the following message (uploaded as the file transfer.txt) with both the old and new keys:

The new windows code signing key has the serial number 0a:65:6f:75:06:a5:ef:65:36:43:16:d4:4d:3d:d2:45
SHA256 fingerprint 88:FC:C8:B3:97:1A:32:4C:06:8E:CF:FE:D6:9F:16:43:74:EC:AD:3B:94:54:4D:33:EE:EB:16:0D:61:10:C0:BE
and expires on May 29 23:59:59 2024 GMT.

The current block hash is 00000000000000000006ed567004da1d3fae7fc5fe5e5d5587fbba1e7884270e.

Signature with old key (uploaded as the file transfer.asc.txt):

-----BEGIN PKCS7-----
MIID0QYJKoZIhvcNAQcCoIIDwjCCA74CAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwExggOZMIIDlQIBATCBhjByMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQD
EyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBTaWduaW5nIENBAhAFI3sK
bXpnRRP2nuUDaOIoMA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDUyNjE0NTczMVowLwYJKoZIhvcN
AQkEMSIEIOjoYNEuna+TFv9Sy03C3FrQB4oomHsd8fipPXwMPXeYMHkGCSqGSIb3
DQEJDzFsMGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIw
CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO
AwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIICAHhyip1eaA+P8BFv
du4a28c3U8fRcSZa4MhssoAGM3mDt14/FPowOYljgXB4V+YhDfo7MIrWJ5sLzGy+
wnTETCxjyDDo2VyNWaeosnAFZl3v89/omcLaq/UtThzrJI8dNqWxWOJwP6L0R0kK
SYb2Z/tmsJH1EAPdCDqzRinTZXc9gbZ6iceun7QDzL+QBOnXkYTTnTO4nXPRqWOK
6NI96C/+pIu+s1i/6pjIKeRrt7YAn92kc6zl1yUejZk3T9cC46hIxDGVBv6D2AOc
06MnQ2si0BK9KtzjhAU39ZMIgCKICZlJpSeUrd854uFex8TR5zeHNOpki9vEBSqg
ZVO58abYDfIGsY/bf6EdtUIxOY0iVlcDe3oCv+WHInnaQrR7mcj8V8lrqOMM7blg
zCpEA/Gi3il2TQdZqJXWMmJ9RLqsS2Vw61j5ybdpJp6wNyNwCAr40asfDm4YGDF3
1QdLpMjoPdYLLjf6PNXJa4oQIP3CL0XJxdRQYw9ehmOv9BOLtQjd0Q+NPYro1BMt
MetXO/Y8YrYl33X3+xtpcGfH14bN90IDjivx9QRwLLcbY7xYWfWpUDy0zPsiMWrW
6os7h9beWnFWH8tcDjxsqww0sueWuuitOjFhIHxrS+S4RnbGzxRIxL+FICiY3xQh
YuM5GiJReQwppiiNj9B+k+LIG+Oz
-----END PKCS7-----

This can be verified using the following command on master (with the old code signing cert):

openssl cms -verify -in transfer.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

Signature with new key (uploaded as the file newkey.asc.txt):

-----BEGIN PKCS7-----
MIIDxwYJKoZIhvcNAQcCoIIDuDCCA7QCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwExggOPMIIDiwIBATB9MGkxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5E
aWdpQ2VydCwgSW5jLjFBMD8GA1UEAxM4RGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2Rl
IFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTECEAplb3UGpe9lNkMW1E09
0kUwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMjIwNTI2MTUwMDUxWjAvBgkqhkiG9w0BCQQxIgQg6Ohg
0S6dr5MW/1LLTcLcWtAHiiiYex3x+Kk9fAw9d5gweQYJKoZIhvcNAQkPMWwwajAL
BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D
BzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
hvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggIALx8cLAPRGaCvhPamNaXKAquevh0M
cwUq7/6Ms50pwL919iEu7iTShyVCjhNxykZ+DlzogT3Q0L8lfKpXljL2v3Ap/OOj
C6R/0UzO3Sb0JQHrWRTJT0rlx3lN34EQjAFUIVzqU1OOlwBeS5km75Q5/rGg5IHo
XzDHPSZyYC/EfAxhMznH2xdM5M8z5Fq/qAO6BkXKl54wliD9QfU5ZOGjrOz09DAt
DBKJyoFntVj3IciKjqZGhasTsyzGph0nJth/TvOVSeHYvW4Or6lVu6Dkeg6gaPtZ
NK2vjbSfp4GmLjxrefqtYwfamFEkvUSTsuo5xfVzhLTmcXnqHHzbePx+qWMLutAF
aBlxovpUN4AJ4ltQP4O5xRJHPC9+G4eM7YfGT1D9imS9hQyGs0kkaOR3/saWs4Yc
Vj5ANi/zG8XkKTy+tq+e9Vcn5xuThopYpbes1HpD7Dnt6drrYovHSWMy6P7913om
WaDU6R6tnBs920NrVfjurQYJ51C5TblqQozawmm6yhJhga7EDofwPu/baEqS9Ey3
GfJJNeZxxG62PAQ/nX3vBPwjWFj/5Fl8fi5V8Fv4SxiEtGfDraiCLBMIK15i5hgI
iHTRVW7QLiel90DVapuknH9BLaNk+ttOZISSCHJsztWWR1po6VecTWivB8hTXWBl
9fV9ox3kR0MMod4=
-----END PKCS7-----

This can be verified using the following command on this branch (with the new code signing cert):

openssl cms -verify -in newkey.asc.txt -inform pem -purpose any -content transfer.txt -certfile contrib/windeploy/win-codesign.cert -CAfile contrib/windeploy/win-codesign.cert

fanquake
fanquake approved these changes May 27, 2022
View reviewed changes
Copy link
Member

@fanquake fanquake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 7e9fe6d - tested above with OpenSSL 3 & faketime.

@fanquake fanquake merged commit 66bb4df into bitcoin:master May 27, 2022
fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 9, 2022
@achow101 @fanquake
windeploy: Renewed windows code signing certificate
bd6d3ac 
Github-Pull: bitcoin#25201
Rebased-From: 7e9fe6d
@fanquake fanquake mentioned this pull request Jun 9, 2022
Merged
@fanquake
Copy link
Member

fanquake commented Jun 9, 2022

Backported to 23.x in #25316.

fanquake pushed a commit to fanquake/bitcoin that referenced this pull request Jun 9, 2022
@achow101 @fanquake
windeploy: Renewed windows code signing certificate
c4aacfb 
Github-Pull: bitcoin#25201
Rebased-From: 7e9fe6d
@fanquake fanquake mentioned this pull request Jun 9, 2022
Merged
@fanquake
Copy link
Member

fanquake commented Jun 9, 2022

Backported to 22.x in #25317.

laanwj added a commit that referenced this pull request Jun 10, 2022
@laanwj
Merge #25317: 22.x Backport new Windows code signing certificate
cfb0eea 
c4aacfb windeploy: Renewed windows code signing certificate (Andrew Chow)

Pull request description:

  Backports:
  - #25201

ACKs for top commit:
  LarryRuane:
    utACK c4aacfb

Tree-SHA512: cce6c85cecf0014e0b123b42e454db2123becf02f4274b1c355f69d8e7b8f77cd12af86adc251da8146b7bd3a55e9f47e3c1ed12f70c5267b3ac3283634526ec
maflcko pushed a commit that referenced this pull request Jul 8, 2022
Merge #25316: 23.x backports
a33ec8a 
4ebf6e3 p2p: always set nTime for self-advertisements (Martin Zumsande)
039ef21 tests: Use descriptor that requires both legacy and segwit (Andrew Chow)
5fd25eb tests: Calculate input weight more accurately (Andrew Chow)
bd6d3ac windeploy: Renewed windows code signing certificate (Andrew Chow)
32fa522 test: ensure createmultisig and addmultisigaddress are not returning any warning for expected cases (brunoerg)
7658055 rpc: fix inappropriate warning for address type p2sh-segwit in createmultisig and addmultisigaddress (brunoerg)

Pull request description:

  Backports:
  - #24454
  - #25201
  - #25220
  - #25314

ACKs for top commit:
  LarryRuane:
    re-utACK 4ebf6e3
  achow101:
    ACK 4ebf6e3

Tree-SHA512: add3999d0330b3442f3894fce38ad9b5adc75da7d681c949e1d052bac5520c2c6fb06eba98bfbeb4aa9a560170451d24bf00d08dddd4a3d080030ecb8ad61882
@bitcoin bitcoin locked and limited conversation to collaborators Jun 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@fanquake fanquake fanquake approved these changes

Assignees

No one assigned

Labels

Scripts and tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@achow101 @laanwj @fanquake @RandyMcMillan @DrahtBot