Skip to Content.
Sympa Menu

cat-users - [[cat-users]] Code Signing Certificate change, macOS and iOS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

[[cat-users]] Code Signing Certificate change, macOS and iOS


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: eduroam CAT Feedback <cat-users AT lists.geant.org>
  • Subject: [[cat-users]] Code Signing Certificate change, macOS and iOS
  • Date: Fri, 20 Apr 2018 09:38:29 +0200
  • Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Hello,

as you know, we sign installers with a (EV) code signing certificate, to
make it appear nicely green and trusted in all the operating systems
supporting that.

On Windows, these signatures are time-stamped. On macOS and iOS
installers, they are not (the Apple mobileconfig spec doesn't allow for
that).

One of our current EV code signing certificate is going to expire soon.
We've replaced it with a new one already, and this has gone unnoticed as
it should. It is also only our backup certificate, and most installers
do not actually have a signature from this one.

However, you should be aware of a few constraints for Apple devices, in
case your installer got signed by this one anyway.

For users who have already installed our (green, verified) profile, it
will magically turn red in their "Settings" app after the expiry date of
our old signing certificate. That's because the operating system does
not have the timestamp information *when* the installer was signed - and
thus only contemplates that the cert is expired right now.

For all we know, the actual network connectivity, i.e. content of the
installed profile, is not affected, and the eduroam authentications will
continue to work as before.

Personally, I don't expect many users to regularly visit their Settings
app, but you should be prepared to answer questions about the profile
validity from the few who do.

Also, if you have downloaded installers for display on your own support
website, rather than sending users to the main CAT website, then you
should re-download the installer. You only need to do that if the
signature certificate on your copy is the one expiring on 26 Apr 2018
(12:00 GMT).

FWIW, the *primary* signing certificate will undergo the same exchange
early next year (expiring 1 Feb 2019, 12:00 GMT).

For Apple devices, this is going to be a (slight) annoyance approx.
every three years (that is the lifetime of the code signing
certificates). The only way to prevent it is a fix to the Apple
mobileconfig specs to allow signing timestamp support, which is
unfortunately outside our control.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page