mirror of
https://github.com/dashpay/dash.git
synced 2024-12-24 19:42:46 +01:00
feat: use a self-signed windows code signing certificate instead of e… (#5814)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ## Issue being fixed or feature implemented Implement a new code-singing certificate for windows. Previously we used a certificate issued by DigiCert, however that certificate recently expired. A renewed certificate would cost roughly $200/year at the cheapest CAs and $370/year with DigiCert. EV certificates are relatively novel types of certificates that start out with positive reputation, reducing smart screen popups for users. EV certificates start at $270/year. As a result we had (/have) 4 options: 1. Get a new code signing certificate from a trusted CA - - Pro: Certificate gains reputation over time in smart screen and binaries are signed - - Pro: Shows "Verified Publisher" and "Dash Core Group Inc" on install - - Con: Costs, feels manipulative to pay at least $600 simply for someone to sign a certificate 2. Get a new EV code signing certificate - - Pro: Certificate starts with good reputation and gains reputation over time - - Con: Even greater costs for a signature that says that we are from Dash Core Group 3. Continue signing with the expired certificate - - Con: This is, it has been discovered, a terrible idea and these binaries are treated worse than unsigned binaries 4. Deliver unsigned windows binaries - - Pro: Binary will gain reputation over time as users download it - - Pro: Easy, is what it says on the tin - - Con: Binaries are completely unsigned, could be tampering or corruption issues that go undetected - - Con: Will visibly state "Unknown Publisher" 5. Deliver self-signed windows binaries - - Pro: Binary will gain reputation over time as users download it - - Pro: *Possibility* that certificate will gain reputation over time as users download binaries signed by it. It may also be that only certificates issued by a CA will gain reputation over time. - - Pro: Binaries are still signed - - Pro: Users have the option to import certificate into keychain to remove "Unknown Publisher" - - Pro: In limited testing, install is sometimes is treated better than unsigned, otherwise is treated the same - - Con: may appear sketchy, as Root CA is not a trusted Root CA - - Con: will display "Unknown Publisher" to most users - - Con: greater potential uncertainty around future changes to treatment of self signing systems Based on the above discussion and testing, the best route currently is option 5; that is what this PR implements. In the future it may make sense to move towards a codesigning certificate issued by a trusted CA. The root certificate authority has the following information ![image](https://github.com/dashpay/dash/assets/6443210/66a90588-9bd9-4fe5-902c-04e8d1e47b6f) with a sha256 fingerprint of `46 84 FF 27 11 D7 C8 C5 BB FA D1 55 41 B3 F0 43 77 97 AC 67 4C 32 19 AE B4 E7 15 11 1F BB 42 A0` The code signing certificate is issued by the root CA, has a common name of "Dash Core Windows Signing" and a sha256 fingerprint of `1A 09 54 6E D3 81 E9 FC AD 62 44 32 35 40 39 FF 5F A7 30 0E 5E 03 C4 E0 96 5A 62 AA 19 2B 79 EE`. This certificate is only authorized for the purpose of code signing. ## What was done? ## How Has This Been Tested? Multiple users installing binaries of type 1,3,4 and 5. ## Breaking Changes This new windows signing certificate should be documented in the release notes. ## Checklist: _Go over all the following points, and put an `x` in all the boxes that apply._ - - [x] I have performed a self-review of my own code - - [ ] I have commented my code, particularly in hard-to-understand areas - - [ ] I have added or updated relevant unit/integration/functional/e2e tests - - [ ] I have made corresponding changes to the documentation - - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKVkDYuyHioH9PCArUlJ77avoeYQFAmWfAbUACgkQUlJ77avo eYTSCBAAuDEoWABdonIMs/4RaYP+DGTULltRu9CHBAqYuksXrl/4iV0r17DPSWWW L/5vLNAUTI47Tsa7R45ZPb0hR8VPMBkvxTQipKBYK7vZpwefcR4VOprEBJJ0Bl3g ZHtAVjZbcANEIAW3SlaiOgWbxWGKfDyM7gN3aNfoidMFBefbcYKEttuAGCnktWRI Y3eLMGPCpxOVB0O1nLU+pzwixAWXOeVChiK31ecFfQrF3JmUc12yiFUI+OJTogg4 0G2GMIQYHiVwclj8hSWT/yZfjcyxXdLYqkmH4Nr5mye39hRI2aUQEkmkYOy8pjcB ykKLg8JpUg/zg6GSuS6mFJnd5NHq5iSBxSRHPfR8xij1xFpmdgAaNCw4/6j9PEXB l8cfuJ7hgX3yX09L4p2E4t7MYpM8igaenAIWAK37hmKs1WADBmaj/nf6ThKhjvzI 2GR0FOzm6Is36KYvdUQJDE0g70g31SvGy+qjlcK49MtX6BvecYt+dg8AaNZ5FIn7 d1kFI4NXM6JX2WdiHMenz5d+oFYRS/P1sXjQ1wtl9HSkiZQQkEBbgiWXfh+EXjpW fNc8cej2LLCNZlhVcpffF8UaINsMTZVQsEGWGInjSi5eCs/YNrqL8XDdC/8mmZCu cNvp0QBtQ+4lpbUSdhFUdgic0MRCsdeHuYIBfvPJN9tl8McbknA= =kL6E -----END PGP SIGNATURE-----
This commit is contained in:
parent
a78c28d572
commit
a7eeda5d3f
@ -1,82 +1,29 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFNTCCBB2gAwIBAgIQC8hE/HYFbdaSbMDoQg3bdDANBgkqhkiG9w0BAQsFADBy
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
|
||||
SUQgQ29kZSBTaWduaW5nIENBMB4XDTIwMDgxMzAwMDAwMFoXDTIzMDgxODEyMDAw
|
||||
MFowcjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
|
||||
b3R0c2RhbGUxHTAbBgNVBAoTFERhc2ggQ29yZSBHcm91cCBJbmMuMR0wGwYDVQQD
|
||||
ExREYXNoIENvcmUgR3JvdXAgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
|
||||
AQoCggEBAJ5yx72CIbnZYYovXBg3YctSF7NEOeWqM6SDnwpLjCMXt8HKdKyte8/r
|
||||
xxNxkwAvenF34gkzyJD9wRggbrNmtgg/zaT3xa0RUC9y7uxvBRHJ9nSskbRV5Ljp
|
||||
v+KTBiekJ/M95Xt0rGYLT76OE2QvWv7fS15JJ7h0F+ReFRvUFlj2HqewTCwYqu0c
|
||||
OIKhHs8I4EEHzMkIfVEEKlzpIfGwndRPmMxrq/6RXpQlrTo9tIA10KiyhQx1sNRu
|
||||
bkWjXEw1SBK63F4Xj8ZaIdlDj3vwEE16Ltk2Nr+eX68gDwyCe9TQ2D7O4rrFEh8f
|
||||
nEp7hcY7BoLc95COYKtWhj8mnC0obBECAwEAAaOCAcUwggHBMB8GA1UdIwQYMBaA
|
||||
FFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRVtnOXT2wps7EH/GWYwlg9
|
||||
XLnMxDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdwYDVR0f
|
||||
BHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItYXNzdXJl
|
||||
ZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
|
||||
LWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAMBMCowKAYI
|
||||
KwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQQB
|
||||
MIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
|
||||
ZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
|
||||
L0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5nQ0EuY3J0MAwGA1UdEwEB
|
||||
/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAJ/3uaSW1E3Cp17UlHk6K9NrSYmq6h4x
|
||||
0FQYvcPc4lYZincDZKElDkClncYAl+FHVLJ2qBBuBF1PU96/PnG5iwROC707jJEs
|
||||
p8SlHfMIiiKMq/HIMAekVNBUnbnUxFZJTEX20p9kEIBBu9A1JJ6a1tYtp7fh+INr
|
||||
lLi3f0P8JNGUgWog+a/n+Icd/3tJ6fsOnrG8jCa11OGjpMegpvPvSh5YzembF0CC
|
||||
WS6tOu6DbMcceQ6pFniD5MTwiF6Ye6cSLBCwD2SUyzganIZgz5m7XXX/xfjBkLbL
|
||||
SQw/P5F1pHZCyyY+evH9Fjm7YAqwfpkVMJDp/XMaht2dxuhyCn70wgk=
|
||||
MIICMjCCAbigAwIBAgIULx0qs9qjM500eqn6THPK0KrYDI4wCgYIKoZIzj0EAwIw
|
||||
YDELMAkGA1UEBhMCVVMxHTAbBgNVBAoMFERhc2ggQ29yZSBHcm91cCBJbmMuMREw
|
||||
DwYDVQQDDAhkYXNoLm9yZzEfMB0GCSqGSIb3DQEJARYQaW5mb3NlY0BkYXNoLm9y
|
||||
ZzAeFw0yNDAxMDkyMjMwMzFaFw0yNzAxMDgyMjMwMzFaMCQxIjAgBgNVBAMMGURh
|
||||
c2ggQ29yZSBXaW5kb3dzIFNpZ25pbmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATT
|
||||
Y9lr0wAD43uUey32F2QOeyCohNg470gWCl2tBgZwg73EKjz1FX/vPcFfdq3C7JiU
|
||||
mRkYkkVZyvcOebMVOkDbxpH5lEZRAr3f0yDc0UytDlJi2032RnZoRl5d3e9Xv4ej
|
||||
bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMD
|
||||
MB0GA1UdDgQWBBR+bbN2rRZFkoX3xuTOPRSse9AWwzAfBgNVHSMEGDAWgBSIe1dn
|
||||
E+OEffr+P5AdH0enMXtqizAKBggqhkjOPQQDAgNoADBlAjEA+AO2SVgxzDmPENHl
|
||||
CS/784XSRC2MBlCwlsIdD8Jti3MNCpvmJiLpuE6HHsKOFxWPAjBlyqgJXyiM30/8
|
||||
AU0qiBlnU9LhmYu1vKbfXweuAve83XVDScaGLPuqqXFp3KTNnjs=
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
|
||||
b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG
|
||||
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
|
||||
cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT
|
||||
aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O
|
||||
Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq
|
||||
8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp
|
||||
wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p
|
||||
fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3
|
||||
jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye
|
||||
n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
|
||||
HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr
|
||||
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
|
||||
MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
|
||||
RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
|
||||
ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6
|
||||
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww
|
||||
TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
|
||||
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq
|
||||
CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP
|
||||
MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX
|
||||
fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf
|
||||
RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al
|
||||
EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+
|
||||
L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8
|
||||
B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
|
||||
b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
|
||||
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
|
||||
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
|
||||
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
|
||||
JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
|
||||
mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
|
||||
wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
|
||||
VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
|
||||
AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
|
||||
AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
|
||||
BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
|
||||
pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
|
||||
dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
|
||||
fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
|
||||
NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
|
||||
H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
|
||||
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
|
||||
MIICUjCCAdigAwIBAgIULvyU04rzSQ7PGNSHxiNPkIWTg5cwCgYIKoZIzj0EAwIw
|
||||
YDELMAkGA1UEBhMCVVMxHTAbBgNVBAoMFERhc2ggQ29yZSBHcm91cCBJbmMuMREw
|
||||
DwYDVQQDDAhkYXNoLm9yZzEfMB0GCSqGSIb3DQEJARYQaW5mb3NlY0BkYXNoLm9y
|
||||
ZzAeFw0yNDAxMDkyMjI1NTJaFw0zNDAxMDYyMjI1NTJaMGAxCzAJBgNVBAYTAlVT
|
||||
MR0wGwYDVQQKDBREYXNoIENvcmUgR3JvdXAgSW5jLjERMA8GA1UEAwwIZGFzaC5v
|
||||
cmcxHzAdBgkqhkiG9w0BCQEWEGluZm9zZWNAZGFzaC5vcmcwdjAQBgcqhkjOPQIB
|
||||
BgUrgQQAIgNiAAS5flHJXHF2pcjC/S9tDdkyek+ekF9e4OTb0Jl43Z+utNBCYXTH
|
||||
82wwh+lfZbRBNjBd1id8+49hU8qX3e0mYWNOc/c+7iqOMQh1OvV/C/Lee/aCc8BN
|
||||
ghSJEVyCc++cc2SjUzBRMB0GA1UdDgQWBBSIe1dnE+OEffr+P5AdH0enMXtqizAf
|
||||
BgNVHSMEGDAWgBSIe1dnE+OEffr+P5AdH0enMXtqizAPBgNVHRMBAf8EBTADAQH/
|
||||
MAoGCCqGSM49BAMCA2gAMGUCMGrul4xW1uNXQhbXnJOWNDjnFWFHhPHM8vG7/upg
|
||||
Ao6zeffQT9TFtMeUTAf/leu/GwIxAM+n/elxROHGSp5rBr8ZYzyajRfJ/b1tlY3J
|
||||
4XDDnlfcKom9Z5npK05shbgE2fAGpg==
|
||||
-----END CERTIFICATE-----
|
||||
|
Loading…
Reference in New Issue
Block a user