The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello!

You may have noticed a few recent posts on the cat-users mailing lists
about Windows security warnings claiming that "The signature ... is
corrupt or invalid."

We have meanwhile investigated the issue, and it's quite subtle:

Microsoft has recently tightened their code signing policy - installers
with are signed with a SHA-1 code signing certificate which expires
after 01 Jan 2016 may be considered as invalid even if technically
correctly signed.

That is because SHA-1 is rapidly phased out of Windows products; not
only for web server certificates, but also for code signing. If the
signature on the executable was done after 01 Jan 2016, or if the
signing time can not be determined, the signature is rejected.

Our current code signing certificate is indeed a SHA-1 certificate. It
expires Feb 26 and was scheduled to be replaced with a SHA-256 Extended
Validation hardware token certificate at that time. The timing was in
line with earlier deprecation timings by Microsoft as far as we knew them.

The reason why we couldn't reproduce the errors is that the warning will
only be triggered under three preconditions:

* the user has installed a very recent Windows Update patch which
enforces the checks described above
* the user is using Internet Explorer for the installer download, and
opens the installer from Internet Explorer (possibly, Edge is also
affected; Firefox in any case is not)
* the file needs to be downloaded freshly from "the internet" (as
opposed to from a file share or USB stick etc.); we are not sure if
downloading from a "Trusted Site" might help.

With the replacement timeline effectively being moved to the past, we
are now urgently called to action to replace the code signing
certificate ASAP to make the warnings stop. Since we had the plans lined
up for an update in some 5 weeks from now anyay, we are in a quite good
position and aim for a maintenance action possibly as early as later today.

This maintenance is a little bit more exciting than a usual update;
simply because the corresponding code needs to deal with actual hardware
on a USB stick, which is beyond a typical PHP line of code fix; there's
actual C code involved for the interaction between the token, the OS,
and the signing process.

Rest assured that all that was tested earlier and that we do not expect
outages to the service beyond few-second interruptions during switchover
time. We also will make sure to have a rollback procedure handy; but
since a rollback will re-introduce the certificate warnings we really
hope we won't need it.

I will announce the exact maintenance timeframe here and on cat-announce
as soon as it is fixed.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0x8A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature