Your DigiCert Code Signing certificate expires in 90 days

[richardlau]

The code signing certificate we use for Windows (obtained in 2020) is expiring on 18 December 2023. We've now got a reminder email through to the accounts email alias from DigiCert.

We'd need to go through the OpenJS Foundation for payment (cc @bensternthal). This might be a good opportunity to hand this bit (the certificate ownership/renewal) over to the Linux Foundation as part of the longer term discussions around the Sovereign Tech Fund initiative.

If we continue with DigiCert, we need to be aware of (based on what we're currently doing):

• [DigiCert] 2FA will be turned on for your account #3453 -- I've not signed into the account and am not sure anyone else has. We'd need to set up 2FA and add the necessary details to the secrets repo.
• Code signing cert changes #2646 -- we'll need to use a larger key size (our instructions in the secrets repo say to use a 2048-bit RSA key size but the DigiCert notification in Code signing cert changes #2646 says renewals will need to use a larger one).
• I wasn't involved last time, but it sounded like there was some verification process involving DigiCert calling a Foundation number.

Once we have a new signing certificate we'd need to install it on all of the Windows release machines (cc @StefanStojanovic ).

[rvagg]

This is always a painful one, thankfully it renews infrequently; if you need help getting this over the line I can try and dig up memories of how it goes down. Authenticode certificates require more KYC than most of the certs we manage, so there's hoops to jump through. I don't recall if it's easier for a renewal but I suspect not.

[StefanStojanovic]

I'm available to deploy certificates when we get them. When is that expected to happen?

[bensternthal]

I am currently working to get the OpenJS account approved/verified with digicert. It does involve a phone call and is a pain :) I hope to have it done this week.

Once that is complete I'd like to purchase the new cert with @rvagg or someone similar on a call. Basically, I screen share, and we ensure I do everything correctly.

[mhdawson]

@bensternthal. @richardlau and I discussed today. Let us know once you have the account approved/verified and then the two of us will set up a call with you to go through and do the purchase.

[bensternthal]

Ok after two phone calls I was finally able to get the foundation validated. We are good to proceed. If you want to reach out via email we can work out a time to go through the purchase.

[mhdawson]

@bensternthal @richardlau sent email

[richardlau]

Certificate was purchased last week (14 November 2023). @bensternthal gave access to the DigiCert account to @StefanStojanovic.