Hi,
We just got an EV certificate token thingy, which certainly does not
have SHA-1. The problem is that the token makes it impossible to safely
automate the signing process. So basically we have to turn off automated
signing in openvpn-build and just sign the files we absolutely have to.
This probably boils down to
openvpn-installer-*.exe
tap-windows6 drivers
tap-windows6 installer
It would be nice to sign openvpn-gui, but then openvpn-build would have
to fetch a pre-built and signed openvpn-gui.exe instead of building and
signing it itself.
According to Microsoft documentation[*] we _could_ continue using non-EV
certs (+ automated signing) for non-driver code, but that would probably
mean paying for two certificates. I'll ask around to see if this is
indeed the case.
We decided to rekey our current non-EV certificate with SHA-2 - it will
be valid until the upcoming September. This will buy us some time to
think about our next move. So what I'll do next is:
- Sign the tap-windows6 driver with the EV-cert
- Start using the rekeyed non-EV cert for the rest of the signing
This should solve all the certificate validation issues we currently
have on Windows.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
