[Python-Dev] Python's Windows code-signing certificate
steve.dower at python.org
Thu Aug 10 11:51:15 EDT 2017
Just a heads-up, primarily for Marc-Andre, but letting everyone know for
Next time we need to renew the PSF code signing certificate used for
Windows releases, we will need to use a different CA.
Our current certificate is from StartCom, who are losing their status as
a trusted CA on Windows, which means any of their certificates issued
after the 26th of September this year will be treated as invalid:
The certificate we have right now is valid through February 2019, so
there's no urgency to change (unless we want to avoid the risk of
"accidental certificate revocation", which is one of the reasons
Microsoft has lost trust in StartCom). Because the revocation of the
root CA has a start date, all of our current releases and future
releases with the current certificate will be fine.
Since this will likely harm StartCom's business, it's very likely that
they will get their act together and by the time we come to renew
they'll be acceptable again. But we probably do want to be planning
ahead to switch CA regardless.
And for our macOS and Linux friends who may be uncertain what I'm
referring to: this is the certificate embedded in the installer and
every executable binary in our Windows distributions. It has nothing to
do with GPG or the signature files you can download from python.org
(these are still associated with my personal and completely unverified
key, which is fine since nobody on Windows actually cares about GPG :) ).
More information about the Python-Dev