Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Sign Windows binaries using Digicert Keylocker #2321

Merged
merged 4 commits into from
Sep 29, 2023
Merged

ci: Sign Windows binaries using Digicert Keylocker #2321

merged 4 commits into from
Sep 29, 2023

Conversation

taratatach
Copy link
Member

@taratatach taratatach commented Sep 26, 2023
edited
Loading

Following changes to the internation recommandations regarding code
signing certificates issuance and storage, DigiCert does not allow
simply downloading a certificate and use it to sign binaries.
Instead, we need to store it in a HSM or, as we chose, in a
cloud-based HSM such as DigiCert Keylocker.

This means we need to install tools to fetch the certificate from the
HSM prior to signing our software and also use a custom signing script
as electron-builder does not support Keylocker out of the box.

The process is split into 3 phases:

  1. download the DigiCert client and the certificate
  2. sign our binaries
  3. verify the signature

Please make sure the following boxes are checked:

  • PR is not too big
  • it improves UX & DX in some way
  • it includes unit tests matching the implementation changes
  • it includes scenarios matching a new behaviour or has been manually tested
  • it includes relevant documentation

@taratatach taratatach self-assigned this Sep 26, 2023
@taratatach taratatach force-pushed the ci/use-digicert-keylocker-to-get-code-signing-certificate branch 3 times, most recently from e88ae7c to 76ba265 Compare September 26, 2023 15:05
@taratatach taratatach force-pushed the feat/hide-realtime-behind-flag branch 2 times, most recently from e5fa6cc to 697b803 Compare September 27, 2023 16:36
Base automatically changed from feat/hide-realtime-behind-flag to master September 27, 2023 18:08
@taratatach taratatach force-pushed the ci/use-digicert-keylocker-to-get-code-signing-certificate branch 16 times, most recently from 04120b3 to 63933e7 Compare September 29, 2023 15:18
@taratatach
ci: Upgrade base appveyor image
04edf77 
  To get access to the `signtool` version tested locally, and get
  upgrades for other pre-installed software, we bump the base image of
  our builds from `Visual Studio 2017` to `Visual Studio 2022`.
@taratatach
ci: Add cache for node modules
f0cd528
@taratatach taratatach force-pushed the ci/use-digicert-keylocker-to-get-code-signing-certificate branch 5 times, most recently from 7d2ca1e to 6672cda Compare September 29, 2023 16:47
@taratatach
ci: Build binaries in a dedicated job
1cebda9 
  We used to build binaries at the end of the `scenarios` job, in an
  `after_test` block to make sure it is executed even in case the
  scenarios fail, but this means we cannot retry by itself if it the
  only failing part of the build.

  Using a dedicated job gives us this freedom and prevents excessive
  generations in case we have to retry the scenarios job.

  We take this opportunity to simplify the syntax to store the generated
  artifacts.
@taratatach taratatach force-pushed the ci/use-digicert-keylocker-to-get-code-signing-certificate branch from 6672cda to a351b98 Compare September 29, 2023 17:23
@taratatach taratatach changed the title WIP: ci: Sign Windows binaries using Digicert Keylocker ci: Sign Windows binaries using Digicert Keylocker Sep 29, 2023
@taratatach
ci: Sign Windows binaries using DigiCert Keylocker
ed3d626 
  Following changes to the internation recommandations regarding code
  signing certificates issuance and storage, DigiCert does not allow
  simply downloading a certificate and use it to sign binaries.
  Instead, we need to store it in a HSM or, as we chose, in a
  cloud-based HSM such as DigiCert Keylocker.

  This means we need to install tools to fetch the certificate from the
  HSM prior to signing our software and also use a custom signing script
  as `electron-builder` does not support Keylocker out of the box.

  The process is split into 3 phases:
  1. download the DigiCert client and the certificate
  2. sign our binaries
  3. verify the signature
@taratatach taratatach force-pushed the ci/use-digicert-keylocker-to-get-code-signing-certificate branch from a351b98 to ed3d626 Compare September 29, 2023 17:24
@taratatach taratatach marked this pull request as ready for review September 29, 2023 17:24
@taratatach taratatach merged commit 73ecd82 into master Sep 29, 2023
14 of 15 checks passed
@taratatach taratatach deleted the ci/use-digicert-keylocker-to-get-code-signing-certificate branch September 29, 2023 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@taratatach taratatach

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@taratatach