feat: use a self-signed windows code signing certificate instead of e…

[PastaPastaPasta]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Issue being fixed or feature implemented

Implement a new code-singing certificate for windows.

Previously we used a certificate issued by DigiCert, however that certificate recently expired. A renewed certificate would cost roughly $200/year at the cheapest CAs and $370/year with DigiCert. EV certificates are relatively novel types of certificates that start out with positive reputation, reducing smart screen popups for users. EV certificates start at $270/year.

As a result we had (/have) 4 options:

1. Get a new code signing certificate from a trusted CA

• • Pro: Certificate gains reputation over time in smart screen and binaries are signed
• • Pro: Shows "Verified Publisher" and "Dash Core Group Inc" on install
• • Con: Costs, feels manipulative to pay at least $600 simply for someone to sign a certificate

2. Get a new EV code signing certificate

• • Pro: Certificate starts with good reputation and gains reputation over time
• • Con: Even greater costs for a signature that says that we are from Dash Core Group

3. Continue signing with the expired certificate

• • Con: This is, it has been discovered, a terrible idea and these binaries are treated worse than unsigned binaries

4. Deliver unsigned windows binaries

• • Pro: Binary will gain reputation over time as users download it
• • Pro: Easy, is what it says on the tin
• • Con: Binaries are completely unsigned, could be tampering or corruption issues that go undetected
• • Con: Will visibly state "Unknown Publisher"

5. Deliver self-signed windows binaries

• • Pro: Binary will gain reputation over time as users download it
• • Pro: Possibility that certificate will gain reputation over time as users download binaries signed by it. It may also be that only certificates issued by a CA will gain reputation over time.
• • Pro: Binaries are still signed
• • Pro: Users have the option to import certificate into keychain to remove "Unknown Publisher"
• • Pro: In limited testing, install is sometimes is treated better than unsigned, otherwise is treated the same
• • Con: may appear sketchy, as Root CA is not a trusted Root CA
• • Con: will display "Unknown Publisher" to most users
• • Con: greater potential uncertainty around future changes to treatment of self signing systems

Based on the above discussion and testing, the best route currently is option 5; that is what this PR implements. In the future it may make sense to move towards a codesigning certificate issued by a trusted CA.

The root certificate authority has the following information

with a sha256 fingerprint of 46 84 FF 27 11 D7 C8 C5 BB FA D1 55 41 B3 F0 43 77 97 AC 67 4C 32 19 AE B4 E7 15 11 1F BB 42 A0

The code signing certificate is issued by the root CA, has a common name of "Dash Core Windows Signing" and a sha256 fingerprint of 1A 09 54 6E D3 81 E9 FC AD 62 44 32 35 40 39 FF 5F A7 30 0E 5E 03 C4 E0 96 5A 62 AA 19 2B 79 EE. This certificate is only authorized for the purpose of code signing.

What was done?

How Has This Been Tested?

Multiple users installing binaries of type 1,3,4 and 5.

Breaking Changes

This new windows signing certificate should be documented in the release notes.

Checklist:

Go over all the following points, and put an x in all the boxes that apply.

• • I have performed a self-review of my own code
• • I have commented my code, particularly in hard-to-understand areas
• • I have added or updated relevant unit/integration/functional/e2e tests
• • I have made corresponding changes to the documentation
• • I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKVkDYuyHioH9PCArUlJ77avoeYQFAmWfAbUACgkQUlJ77avo
eYTSCBAAuDEoWABdonIMs/4RaYP+DGTULltRu9CHBAqYuksXrl/4iV0r17DPSWWW
L/5vLNAUTI47Tsa7R45ZPb0hR8VPMBkvxTQipKBYK7vZpwefcR4VOprEBJJ0Bl3g
ZHtAVjZbcANEIAW3SlaiOgWbxWGKfDyM7gN3aNfoidMFBefbcYKEttuAGCnktWRI
Y3eLMGPCpxOVB0O1nLU+pzwixAWXOeVChiK31ecFfQrF3JmUc12yiFUI+OJTogg4
0G2GMIQYHiVwclj8hSWT/yZfjcyxXdLYqkmH4Nr5mye39hRI2aUQEkmkYOy8pjcB
ykKLg8JpUg/zg6GSuS6mFJnd5NHq5iSBxSRHPfR8xij1xFpmdgAaNCw4/6j9PEXB
l8cfuJ7hgX3yX09L4p2E4t7MYpM8igaenAIWAK37hmKs1WADBmaj/nf6ThKhjvzI
2GR0FOzm6Is36KYvdUQJDE0g70g31SvGy+qjlcK49MtX6BvecYt+dg8AaNZ5FIn7
d1kFI4NXM6JX2WdiHMenz5d+oFYRS/P1sXjQ1wtl9HSkiZQQkEBbgiWXfh+EXjpW
fNc8cej2LLCNZlhVcpffF8UaINsMTZVQsEGWGInjSi5eCs/YNrqL8XDdC/8mmZCu
cNvp0QBtQ+4lpbUSdhFUdgic0MRCsdeHuYIBfvPJN9tl8McbknA=
=kL6E
-----END PGP SIGNATURE-----

[UdjinM6]

The actual message (ignoring Github rendering) is:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

## Issue being fixed or feature implemented
Implement a new code-singing certificate for windows. 

Previously we used a certificate issued by DigiCert, however that certificate recently expired. A renewed certificate would cost roughly $200/year at the cheapest CAs and $370/year with DigiCert. EV certificates are relatively novel types of certificates that start out with positive reputation, reducing smart screen popups for users. EV certificates start at $270/year.

As a result we had (/have) 4 options:
1. Get a new code signing certificate from a trusted CA
- - Pro: Certificate gains reputation over time in smart screen and binaries are signed
- - Pro: Shows "Verified Publisher" and "Dash Core Group Inc" on install
- - Con: Costs, feels manipulative to pay at least $600 simply for someone to sign a certificate
2. Get a new EV code signing certificate
- - Pro: Certificate starts with good reputation and gains reputation over time
- - Con: Even greater costs for a signature that says that we are from Dash Core Group
3. Continue signing with the expired certificate
- - Con: This is, it has been discovered, a terrible idea and these binaries are treated worse than unsigned binaries
4. Deliver unsigned windows binaries
- - Pro: Binary will gain reputation over time as users download it
- - Pro: Easy, is what it says on the tin
- - Con: Binaries are completely unsigned, could be tampering or corruption issues that go undetected
- - Con: Will visibly state "Unknown Publisher"
5. Deliver self-signed windows binaries
- - Pro: Binary will gain reputation over time as users download it
- - Pro: *Possibility* that certificate will gain reputation over time as users download binaries signed by it. It may also be that only certificates issued by a CA will gain reputation over time.
- - Pro: Binaries are still signed
- - Pro: Users have the option to import certificate into keychain to remove "Unknown Publisher"
- - Pro: In limited testing, install is sometimes is treated better than unsigned, otherwise is treated the same
- - Con: may appear sketchy, as Root CA is not a trusted Root CA
- - Con: will display "Unknown Publisher" to most users
- - Con: greater potential uncertainty around future changes to treatment of self signing systems

Based on the above discussion and testing, the best route currently is option 5; that is what this PR implements. In the future it may make sense to move towards a codesigning certificate issued by a trusted CA.

The root certificate authority has the following information
![image](https://github.com/dashpay/dash/assets/6443210/66a90588-9bd9-4fe5-902c-04e8d1e47b6f)
with a sha256 fingerprint of `46 84 FF 27 11 D7 C8 C5 BB FA D1 55 41 B3 F0 43 77 97 AC 67 4C 32 19 AE B4 E7 15 11 1F BB 42 A0`

The code signing certificate is issued by the root CA, has a common name of "Dash Core Windows Signing" and a sha256 fingerprint of `1A 09 54 6E D3 81 E9 FC AD 62 44 32 35 40 39 FF 5F A7 30 0E 5E 03 C4 E0 96 5A 62 AA 19 2B 79 EE`. This certificate is only authorized for the purpose of code signing.

## What was done?

## How Has This Been Tested?
Multiple users installing binaries of type 1,3,4 and 5. 

## Breaking Changes
This new windows signing certificate should be documented in the release notes.

## Checklist:
  _Go over all the following points, and put an `x` in all the boxes that apply._
- - [x] I have performed a self-review of my own code
- - [ ] I have commented my code, particularly in hard-to-understand areas
- - [ ] I have added or updated relevant unit/integration/functional/e2e tests
- - [ ] I have made corresponding changes to the documentation
- - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKVkDYuyHioH9PCArUlJ77avoeYQFAmWfAbUACgkQUlJ77avo
eYTSCBAAuDEoWABdonIMs/4RaYP+DGTULltRu9CHBAqYuksXrl/4iV0r17DPSWWW
L/5vLNAUTI47Tsa7R45ZPb0hR8VPMBkvxTQipKBYK7vZpwefcR4VOprEBJJ0Bl3g
ZHtAVjZbcANEIAW3SlaiOgWbxWGKfDyM7gN3aNfoidMFBefbcYKEttuAGCnktWRI
Y3eLMGPCpxOVB0O1nLU+pzwixAWXOeVChiK31ecFfQrF3JmUc12yiFUI+OJTogg4
0G2GMIQYHiVwclj8hSWT/yZfjcyxXdLYqkmH4Nr5mye39hRI2aUQEkmkYOy8pjcB
ykKLg8JpUg/zg6GSuS6mFJnd5NHq5iSBxSRHPfR8xij1xFpmdgAaNCw4/6j9PEXB
l8cfuJ7hgX3yX09L4p2E4t7MYpM8igaenAIWAK37hmKs1WADBmaj/nf6ThKhjvzI
2GR0FOzm6Is36KYvdUQJDE0g70g31SvGy+qjlcK49MtX6BvecYt+dg8AaNZ5FIn7
d1kFI4NXM6JX2WdiHMenz5d+oFYRS/P1sXjQ1wtl9HSkiZQQkEBbgiWXfh+EXjpW
fNc8cej2LLCNZlhVcpffF8UaINsMTZVQsEGWGInjSi5eCs/YNrqL8XDdC/8mmZCu
cNvp0QBtQ+4lpbUSdhFUdgic0MRCsdeHuYIBfvPJN9tl8McbknA=
=kL6E
-----END PGP SIGNATURE-----

Can be verified here https://keybase.io/verify

[UdjinM6]

utACK (signature is valid and cert matches the expected one)

[knst]

Sign for PR is valid; cert has valid issuer

    Issuer: C = US, O = Dash Core Group Inc., CN = dash.org, emailAddress = [email protected]

[knst]

Fingerprints also matched:

$ openssl x509 -in 1.crt -noout -fingerprint -sha256
sha256 Fingerprint=1A:09:54:6E:D3:81:E9:FC:AD:62:44:32:35:40:39:FF:5F:A7:30:0E:5E:03:C4:E0:96:5A:62:AA:19:2B:79:EE
$ openssl x509 -in 2.crt -noout -fingerprint -sha256
sha256 Fingerprint=46:84:FF:27:11:D7:C8:C5:BB:FA:D1:55:41:B3:F0:43:77:97:AC:67:4C:32:19:AE:B4:E7:15:11:1F:BB:42:A0

[knst]

ACK