This also (partially) fixes a gap in our Authenticode compliance: we now reject signer certificates that lack the codeSigning EKU. This is a superset of Authenticode's specified behavior, as we lack the context (a full chain) needed to accept some certificates that don't have the codeSigning EKU. In practice, this shouldn't be a concern: most Authenticode CAs should be issuing EE certs with this EKU.
We now use OpenSSL 3.0 or higher.
This also (partially) fixes a gap in our Authenticode compliance: we now reject signer certificates that lack the
codeSigning
EKU. This is a superset of Authenticode's specified behavior, as we lack the context (a full chain) needed to accept some certificates that don't have thecodeSigning
EKU. In practice, this shouldn't be a concern: most Authenticode CAs should be issuing EE certs with this EKU.