Signed Windows Installer #6826
Replies: 10 comments 18 replies
-
Does this only impact the .exe installer, or will all Win32 binaries (like the portable zip;s |
Beta Was this translation helpful? Give feedback.
-
Have you looked into https://signpath.org/? |
Beta Was this translation helpful? Give feedback.
-
Why can't your GHA reach out to your device via a proxy service you run and enable only when you're about to make releases, then disable when you're done making releases? |
Beta Was this translation helpful? Give feedback.
-
I use azure key vault with a certificate issued by global sign (EV code signing certificate), and then use AzureSignTool https://github.com/vcsjones/AzureSignTool to fetch the certificate and sign the file in github actions |
Beta Was this translation helpful? Give feedback.
-
The Azure KeyVault supports this and it costs cents to sign builds several times a day. |
Beta Was this translation helpful? Give feedback.
-
hey look at this SignPath foundation seems to be a foundation offering free signing certificate. Unsure it works, never tried, but might be a path forward. |
Beta Was this translation helpful? Give feedback.
-
I don't want to hijack this discussion, but we are in the same position (archimatetool/archi#990) so I would be interested in the outcome. FWIW I have written to the SignPath foundation to ask for a free certificate for our project. I'll update if I hear back from them. |
Beta Was this translation helpful? Give feedback.
-
hey @dlemstra , Engineer on Azure Code Signing here, feel free to reach out if you are not getting the right traction. I'm sure the team would be stoked to unblock you on this matter and we do support Github Actions as well. Also adding our PM @ianjmcm |
Beta Was this translation helpful? Give feedback.
-
Have you thought about self-signing the binaries and make the public certificate available for all to install once on their machines? |
Beta Was this translation helpful? Give feedback.
-
Thanks for all the options that were offered. We decided to use Azure Code Signing and this means we are now able to sign our binaries again. You can read here how easy it was to set this up here: https://github.com/dlemstra/github-stories/tree/main/2023/ImageMagick%20now%20uses%20Azure%20Code%20Signing. |
Beta Was this translation helpful? Give feedback.
-
Today our code signing certificate will expire. For many years LeaderSSL sponsored us with a code singing certificate but they are no longer able to do so. Since June of 2023 the CA/B Forum requires that OV code signing private keys be stored on a FIPS 140-2 Level 2 or Common Criteria Level EAL4+ certified device. This means we are no longer able to export our code signing certificate with its private key and use this in GitHub actions. We would now either need to have our own GitHub agent and hardware token or use a cloud solution (e.g. digicert). Our preference would be to use a cloud solution that integrates with GitHub. Digicert seems to be our only option now but a certificate there would cost $629 (tax excluded) for a single year. If your organization requires a signed installer then please consider sponsoring us with a code signing certificate. Please reach out to @dlemstra for questions or in case of a sponsorship.
Beta Was this translation helpful? Give feedback.
All reactions