Update NVDA's Authenticode code signing certificate (#12398)

NVDA requires being signed with a trusted Authenticode code-signing certificate, so that it can access certain accessibility features on Windows such as UIAccess. The current Authenticode certificate expires in July 2021. NV access has purchased a new Authenticode certificate which expires in August 2024. Due to updated Authenticode policies, this certificate uses a 3072 bit RSA, rather than 2048 bit. This certificate has been securely encrypted by a secret (itself encrypted via our AppVeyor key). The encoded certificate replaces the older 2018 encoded certificate in this Git repository. The encryption of the certificate is also significantly stronger as it uses SHA256 instead of md5, a salt is now used, and a newer secret key derivation algorithm is now used, as recommended by openssl when decrypting the certificate in the past. A more secure time stamping server is used, again upgraded to SHA256.
nvaccess · May 18, 2021 · 0a6806a · 0a6806a
1 parent 7e6561a
commit 0a6806a
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/appveyor.yml b/appveyor.yml
@@ -12,7 +12,9 @@ branches:
 
 environment:
  PY_PYTHON: 3.7-32
- encFileKey:
+ secure_authenticode_pass:
+  secure: Way+hJyhbiLG/cmCo4+dHHzS5DiSvk/45o6frnIQ27GBX6nVDsh7jwQ7fSnqxBRP
+ secure_ssh_pass:
   secure: ekOvuyywHuDdGZmRmoj+b3jfrq39A2xlx4RD5ZUGd/8=
  mozillaSymsAuthToken:
   secure: p37Fxo78fsRdmR8v8TPz978QvVaqvbjdIBzFe8ZOpX0FUprm46rkhd374QM1CqMO
@@ -61,10 +63,19 @@ install:
  # Decrypt files.
  - ps: |
     if(!$env:APPVEYOR_PULL_REQUEST_NUMBER) {
-     openssl enc -md md5 -aes-256-cbc -d -pass pass:$env:encFileKey -in authenticode.pfx.enc -out authenticode.pfx
-     openssl enc -md md5 -aes-256-cbc -d -pass pass:$env:encFileKey -in ssh_id_rsa.enc -out ssh_id_rsa
+     openssl enc -d -md sha256 -aes-256-cbc -pbkdf2 -salt -pass pass:$env:secure_authenticode_pass -in authenticode.pfx.enc -out authenticode.pfx
+     if($LastExitCode -ne 0) {
+      $errorCode=$LastExitCode
+      Add-AppveyorMessage "Unable to decrypt authenticode certificate"
+     }
+     openssl enc -md md5 -aes-256-cbc -d -pass pass:$env:secure_ssh_pass -in ssh_id_rsa.enc -out ssh_id_rsa
+     if($LastExitCode -ne 0) {
+      $errorCode=$LastExitCode
+      Add-AppveyorMessage "Unable to decrypt ssh key"
+     }
      # Install ssh stuff.
      copy ssh_id_rsa $env:userprofile\.ssh\id_rsa
+     if ($errorCode -ne 0) { $host.SetShouldExit($errorCode) }
     }
  - type ssh_known_hosts >> %userprofile%\.ssh\known_hosts
  - cd ..

diff --git a/appveyor/authenticode.pfx.enc b/appveyor/authenticode.pfx.enc
diff --git a/sconstruct b/sconstruct
@@ -172,7 +172,7 @@ signExecCmd = ["signtool", "sign", "/fd", "SHA256", "/f", certFile]
 if certPassword:
 	signExecCmd.extend(("/p", certPassword))
 if certTimestampServer:
-	signExecCmd.extend(("/t", certTimestampServer))
+	signExecCmd.extend(("/tr", certTimestampServer, "/td", "SHA256"))
 def signExec(target,source,env):
 	print([str(x) for x in target])
 	#sys.exit(1)