Created attachment 110122 [details]
Screenshot showing issue
If you look at the Digital Signature Details for LibreOffice binaries after a certificate has expired it shows that the required certificate is not within its validity period even though the file was correctly signed before the certificate has expired.
This is not usual and can lead to issues within the Windows environment (see below).
I think this is because when these binaries are signed the “Lifetime Signing” EKU is set.
You can tell this is happening by looking at the Countersignatures. Timestamp which always shows the current time (see attached screenshot).
This can cause poor performance when the LibreOffice is operating and although unlikely could potentially cause some anti-malware vendors to incorrectly classify LibreOffice binaries as malware.
(In reply to charlie.quinnpub from comment #0)
> If you look at the Digital Signature Details for LibreOffice binaries after
> a certificate has expired it shows that the required certificate is not
> within its validity period even though the file was correctly signed before
> the certificate has expired.
> I think this is because when these binaries are signed the “Lifetime
> Signing” EKU is set.
Do you have a suggestion on how we should configure the signing environment to avoid this problem?
this is more or less a wontfix.
Of course we cannot fix the already released builds, and not sure whether TDF will switch certificates... (nothing needs to be changed in the code though)
The problem is not wrong way of signing, but as it turns out the certificate (we use Class 2 code-signing certificate from StartCom) actually has a flag that limits the validity of the signature to that of the certificate (doh!)
I didn't know of that flag, so I (and I guess everyone else) assumed that timestamping the builds will take care of things..
Our certificate has the
126.96.36.199.4.1.3188.8.131.52 - Microsoft's OID "szOID_KP_LIFETIME_SIGNING" defined.
We'd need an "Extended Validation" type that doesn't have that restriction (but of course also costs more)...
Ci-infra bugs are now tracked in redmine. Redmine bug #1122
Closing this bug as MOVED.