Re: [Openvpn-devel] Micro-sha-ft

Wed, 17 Feb 2016 16:48:07 +0000 

Hi,
We just got an EV certificate token thingy, which certainly does not have SHA-1. The problem is that the token makes it impossible to safely automate the signing process. So basically we have to turn off automated signing in openvpn-build and just sign the files we absolutely have to. This probably boils down to 

openvpn-installer-*.exe
tap-windows6 drivers
tap-windows6 installer


It would be nice to sign openvpn-gui, but then openvpn-build would have 
to fetch a pre-built and signed openvpn-gui.exe instead of building and 
signing it itself.



According to Microsoft documentation[*] we _could_ continue using non-EV 
certs (+ automated signing) for non-driver code, but that would probably 
mean paying for two certificates. I'll ask around to see if this is 
indeed the case.



I'm not entirely sure all this "increases security" which Microsoft 
claims to be the goal of EV certs. Currently we sign every single 
library and binary we distribute (including OpenSSL, LZO, etc) already, 
and soon we can only sign a subset.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[*] 
<https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887%28v=vs.85%29.aspx>



we sign our software here. actually it works like SHA-2 sign + SHA-1
timestamp.
we use "signtool" for that. I'll have a look how to do that with openvpn
release system

2016-02-15 14:05 GMT+05:00 Samuli Seppänen <sam...@openvpn.net
<mailto:sam...@openvpn.net>>:




    > I presume you are aware but just in case
    > microsoft no more SHA1 authenticode
    >
    >https://forums.openvpn.net/topic20987.html

    Hi,

    This was not entirely unexpected. I'll try to get this fixed this week
    and then release new installers. I suppose Microsoft has finally fixed
    Windows 7 so that it can handle SHA-2.

    Thanks!

    --
    Samuli Seppänen
    Community Manager
    OpenVPN Technologies, Inc

    irc freenode net: mattock

    
------------------------------------------------------------------------------
    Site24x7 APM Insight: Get Deep Visibility into Application Performance
    APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
    Monitor end-to-end web transactions and take corrective actions now
    Troubleshoot faster and improve end-user experience. Signup Now!
    http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
    _______________________________________________
    Openvpn-devel mailing list
    Openvpn-devel@lists.sourceforge.net
    <mailto:Openvpn-devel@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/openvpn-devel




























					Reply via email to