We have two certificates used for signing our client code; one for Windows and one for macOS. Both will expire next spring and need to be renewed.
The deadlines are Mar 12 for the macOS certificate, and May 22 for the Windows certificate.
Created attachment 920 [details]
Log from Apple for the latest successful notarization of tlclient
Note that there are a number of warnings regarding "hardened runtime", "binary not signed", and "secure timestamp".
Created attachment 921 [details]
Log from Apple for a failed notarization of tlclient
After updating to a new codesigning certificate the notarization step is failing. Note that the errors in the log are identical with the warnings we got in the latest successful notarization.
Signing the code works fine.
Apparently, Apple have changed their notarization prerequisites since Feb 3 2020:
The notarization problems have been moved to bug 7469.
Created attachment 925 [details]
First part of the warning on Windows - you have to press "More info"
The new certificate triggers a warning on Windows. We have seen this before, it's likely that the warning will disappear after enough people have trusted it.
Created attachment 926 [details]
The second part of the warning on Windows - after pressing "More info" it allows you to run the client
We have decided to mention the Windows certificate warning in the release notes.
Should be done now. Windows client signature is ready for testing, however the macOS client isn't due to bug 7469.
> +* The ThinLinc Client for Windows has gotten a new certificate. Windows
What certificate? What is it used for? I think it is more important to mention the function here.
> + Defender SmartScreen will, during the first few weeks, show a warning
> + until this new certificate has built enough trust with Microsoft's
> + servers. (7407)
A few weeks from when? Perhaps just be vague and say that SmartScreen may complain without giving any details as to when this might happen.
Relnotes are updated now.
Since bug 7469 is done, this can be fully tested now.
Release notes look good.
Both certificates are renewed (check both PEM/DER and P12 formats).
Windows accepts the client and customizer installers signature and the certificates look fine. I did get the SmartScreen prompt though.
macOS will be tested on bug 7469.