KEMBAR78
MS Store cert pinning updates by JohnMcPMS · Pull Request #5732 · microsoft/winget-cli · GitHub
Skip to content

MS Store cert pinning updates #5732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 22, 2025
Merged

MS Store cert pinning updates #5732

merged 4 commits into from
Sep 22, 2025
+545 −59

Conversation

JohnMcPMS
Copy link
Member

@JohnMcPMS JohnMcPMS commented Sep 19, 2025
edited by microsoft-github-policy-service bot
Loading

Change

New certificate pinning guidelines/PKI allow us to pin only a trusted intermediate. This means less churn due to renewals with the Store.

Adds functionality to the pinning validation to allow partial chain definitions. This is leveraged to allow chains containing two new intermediate certificates

The existing chains are left as is since they continue to be the current in-operation values.

Validation

Adds new tests covering partial chain definitions, etc.
Adds a new test to warn about the remaining lifetime of pinning certificates.
Manual verification that Store source continues to function.

Microsoft Reviewers: Open in CodeFlow

@github-actions

This comment was marked as outdated.

Sign in to view
yao-msft
yao-msft approved these changes Sep 22, 2025
View reviewed changes
Copy link
Contributor

@yao-msft yao-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@JohnMcPMS JohnMcPMS merged commit d97d07e into microsoft:master Sep 22, 2025
9 checks passed
@JohnMcPMS JohnMcPMS deleted the cert-pin branch September 22, 2025 21:28
JohnMcPMS added a commit to JohnMcPMS/winget-cli that referenced this pull request Sep 22, 2025
@JohnMcPMS
MS Store cert pinning updates (microsoft#5732)
60746a2 
## Change
New certificate pinning guidelines/PKI allow us to pin only a trusted
intermediate. This means less churn due to renewals with the Store.

Adds functionality to the pinning validation to allow partial chain
definitions. This is leveraged to allow chains containing two new
intermediate certificates

The existing chains are left as is since they continue to be the current
in-operation values.

## Validation
Adds new tests covering partial chain definitions, etc.
Adds a new test to warn about the remaining lifetime of pinning
certificates.
@JohnMcPMS JohnMcPMS mentioned this pull request Sep 22, 2025
Merged
JohnMcPMS added a commit that referenced this pull request Sep 22, 2025
@JohnMcPMS
MS Store cert pinning updates (1.11) (#5735)
cf4eb46 
Cherry-pick #5732 to 1.11

## Change
New certificate pinning guidelines/PKI allow us to pin only a trusted
intermediate. This means less churn due to renewals with the Store.

Adds functionality to the pinning validation to allow partial chain
definitions. This is leveraged to allow chains containing two new
intermediate certificates

The existing chains are left as is since they continue to be the current
in-operation values.

## Validation
Adds new tests covering partial chain definitions, etc.
Adds a new test to warn about the remaining lifetime of pinning
certificates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yao-msft yao-msft yao-msft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JohnMcPMS @yao-msft