Extending the validity period of a signature

[naidenav]

Hi! I have a question. I registered with the EVS service and signed my package with VMP signature. 2500 days of validity are indicated. What happens at the end of this period and how can I prevent the service from being down due to the lack of a valid signature? By the way, I re-sign with every build in Jenkins, the signature is taken from the cache as I understand it. But the build may not happen often.

[khwaaj]

The validity is based on the expiration date of the VMP certificate we are using on EVS. These all have an expiration set by Google, so they will need to be updated periodically on EVS. We are committed to always making sure there is a valid certificate on the service, although we cannot control exact expiration of a specific certificate ourselves (we are not a CA).

When the certificate expires, all signatures generated by it will be invalid. This effectively means that as long as you are producing new signed builds on a regular basis, you are safe. If you are no longer producing builds, you will eventually run into problems though. Not just because of the VMP signature, CDM updates will also stop coming to older builds eventually (I think Google is committed to a year of official support, although they often exceed this). When the older CDMs are then revoked, which happens regularly, things will break.

[naidenav]

Thank you for the answer! One more question.. Do I understand correctly that the validity period of the previous certificate will overlap the beginning of the validity period of the next one?

[khwaaj]

Yes, we want to avoid a situation where a signature is only valid for a short time, so we'll likely request new certificates when there is at least a year left on the old ones.

[naidenav]

Thanks a lot!