PICARD-3002: Use Azure Trusted Signing for code signing #2557
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Problem
The code signing certificate for the Windows builds had expired and needed to be replaced. This also involved changing the certificate authority and modernizing the signing procedure.
Solution
Code signing has been set up using Azure Trusted Signing. This has several advantages:
This updates the build process to use azure/trusted-signing-action. As a lot of the Windows build code was dealing with certificate handling and code signing this also simplifies the code.
I have also updated the documentation at https://github.com/phw/picard-code-signing (access is restricted, but @zas has access).
The necessary client secrets
AZURE_CLIENT_ID
,AZURE_TENANT_ID
,AZURE_CLIENT_SECRET
,AZURE_ENDPOINT
,AZURE_CODE_SIGNING_NAME
andAZURE_CERT_PROFILE_NAME
are all configured.Actions
Once this has been merged and backported to 2.x the secretsCODESIGN_P12_URL
andCODESIGN_P12_PASSWORD
can be removed from the repo, together with the P12 certificate file on the storage.Update: Already done, code signing wasn't functional anyway and without the variables it isn't performed.