[Python-Dev] Python's Windows code-signing certificate

[Steve Dower]

Just a heads-up, primarily for Marc-Andre, but letting everyone know for 
awareness.

Next time we need to renew the PSF code signing certificate used for 
Windows releases, we will need to use a different CA.

Our current certificate is from StartCom, who are losing their status as 
a trusted CA on Windows, which means any of their certificates issued 
after the 26th of September this year will be treated as invalid:

https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

The certificate we have right now is valid through February 2019, so 
there's no urgency to change (unless we want to avoid the risk of 
"accidental certificate revocation", which is one of the reasons 
Microsoft has lost trust in StartCom). Because the revocation of the 
root CA has a start date, all of our current releases and future 
releases with the current certificate will be fine.

Since this will likely harm StartCom's business, it's very likely that 
they will get their act together and by the time we come to renew 
they'll be acceptable again. But we probably do want to be planning 
ahead to switch CA regardless.


And for our macOS and Linux friends who may be uncertain what I'm 
referring to: this is the certificate embedded in the installer and 
every executable binary in our Windows distributions. It has nothing to 
do with GPG or the signature files you can download from python.org 
(these are still associated with my personal and completely unverified 
key, which is fine since nobody on Windows actually cares about GPG :) ).

Cheers,
Steve