[python-committers] New Authenticode certificate

Steve Dower steve.dower at python.org
Thu Jan 21 11:40:15 EST 2016

(I forget exactly who to contact about the certificate, so I'm going 
slightly more broad.)

The PSF's certificate we use to sign binaries and the installer for 
Windows is a SHA-1 certificate, which has been deprecated as of the 
start of the year: http://aka.ms/sha1

Already Windows may warn about the certificate on our current and past 
releases, but because the signature is timestamped prior to 01Jan2016 it 
will not be blocked. However, our next releases will be blocked (with a 
bypass available) unless we update the certificate to SHA-2.

Some sources have suggested that CAs will provide a SHA-2 certificate 
for free on request.

Supporting Windows Vista and Windows Server 2008 appears to be 
complicated, according to the link I gave above. I want to test the 
effect of only signing with SHA-2 on those platforms and make a 
recommendation based on that, rather than trying to guess what will 
happen (those OSs did not block downloaded files as aggressively as 
Windows 7+).

Happy to take this off list once I know who handles this certificate.


More information about the python-committers mailing list