A self-signed CA/root certificate of which the public key is injected into the application (a practice called Certificate/Public Key Pinning). Signal uses this for security reasons, and as I want to stay as close as possible to their setup, I had to implement it too.
The current self-signed CA/root certificate in "my" version of Signal expires on Mar 25th, 2024. The SSL certificate that's created for https://signal2.dennisameling.com and that uses this self-signed CA/root certificate is expiring on June 5th, 2023.
I created a new self-signed CA/root certificate that's valid until May 20th, 2028 and have just updated the Public Key Pinning so that it supports both the old and the new CA/root certificate for the time being. The Signal team did this a while ago as well to allow for a "transition period".
I will be creating a new SSL certificate for https://signal2.dennisameling.com around June 3rd, 2023 using the new root/CA certificate. Users that haven't updated their Signal Desktop arm64 version for a while will not be able to auto-update from that date moving forward.
Release v6.8.10 is the first version that supports both the old and the new root/CA certificate, so please make sure you've updated to that version.
Removing Code Signing
Code Signing certificates suddenly got ~4x more expensive for 1-year certs. I paid ~$80 dollars last year for a 1-year certificate which was okay-ish, but now such certificate will cost me ~$300 for a 1-year certificate! As a result, I decided to remove Code Signing. This only applies to Windows users.
Industry standards from the CA/B Forum now require that all code signing certificate keys be stored on a compliant hardware security module (HSM) or hardware token. As part of implementing these changes, Comodo CA has increased code signing certificate prices.
The changes below only apply to Windows users (not Linux).
New CA certificate for updates
In order for me to offer auto-updates for Signal Desktop arm64 on Windows, the following infra is required:
Removing Code Signing
Code Signing certificates suddenly got ~4x more expensive for 1-year certs. I paid ~$80 dollars last year for a 1-year certificate which was okay-ish, but now such certificate will cost me ~$300 for a 1-year certificate! As a result, I decided to remove Code Signing. This only applies to Windows users.
Quoting from Comodo's website: