Code signing cert changes

[rvagg]

I got this today from DigiCert but don't have the time right now to figure out the impact.

Starting from May 27, 2021, 14:00 MDT (20:00 UTC), DigiCert® will require 3072-bit RSA keys or larger for code signing certificates. This change is to comply with industry standards. These new RSA key size requirements apply to the complete certificate chain: end-entity, intermediate CA, and root. Note that ECC key requirements remain unchanged.

Code signing certificates issued before May 27 require no change and will work until they expire.
After May 27, new, renewed, and reissued code signing certificates from DigiCert will automatically issue with new intermediate CAs and roots.
After May 27, all code signing certificates will require CSRs with 3072-bit or larger RSA keys. EV code signing certificates will need a new token or an HSM that supports at least 3072-bit keys. Currently most tokens and HSMs only support the smaller 2048-bit keys.

IIRC this is all about Windows Authenticode signing cert. I thought we had 4096-bit certs but 🤷. It doesn't look like this impacts us at all until renewal. I also don't know what renewal date is but I think they have a 4 year life so we're probably mid-way through our second.

We probably need better documentation about certs and expiry so we can look these things up and not have a SURPRISE EXPIRY PARTY.

[mhdawson]

I helped renew them in #2415. That was Oct 2020 so we are still in our first year. It mentions 3 years so we should be still good for over 2 years.

[richardlau]

Can confirm that the current Windows certificate is good until Mon Dec 18 13:00:00 2023 (based on x64 node.exe from 16.1.0). Also appears to be a 2048-bit CSR -- that value is also what the instructions in build/release/windows_authenticode_renewal.md in secrets says to use to generate the CSR.

Anecdote: A long time ago when IBM was building its own distribution of Node.js we signed the binaries with our own certificate and I had put in place a script that scraped the signtool verify output to check the signed binary verified and that the certificate expiry was beyond the next 6 months (may possibly have been a greater time window -- the idea was to give enough time to get a new certificate when the check failed). Ultimately we stopped producing our own binaries way before the certificate (and the test) expired.

[mhdawson]

@richardlau could you find that script, and then setup a github action that would do the check for us once a month?

[richardlau]

I'm fairly certain the script is long gone but it wouldn't be too hard to code up again. I'll see what I can do.

[mhdawson]

@richardlau do you think setting up the script is still a good idea?

[richardlau]

@mhdawson I do.

[github-actions]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.