Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PICARD-3002: Use Azure Trusted Signing for code signing #2557

Merged
merged 1 commit into from
Dec 6, 2024

Conversation

phw
Copy link
Member

@phw phw commented Dec 5, 2024

Summary

  • This is a…
    • Bug fix
    • Feature addition
    • Refactoring
    • Minor / simple change (like a typo)
    • Other
  • Describe this change in 1-2 sentences:

Problem

The code signing certificate for the Windows builds had expired and needed to be replaced. This also involved changing the certificate authority and modernizing the signing procedure.

Solution

Code signing has been set up using Azure Trusted Signing. This has several advantages:

  • The certificate gets automatically renewed and rotated frequently
  • No need to handle the certificate file during the CI process
  • Integration into Github Actions is easily possible using azure/trusted-signing-action
  • Much cheaper than purchasing the certificate elsewhere
  • Certificate is guaranteed to be accepted by Windows

This updates the build process to use azure/trusted-signing-action. As a lot of the Windows build code was dealing with certificate handling and code signing this also simplifies the code.

I have also updated the documentation at https://github.com/phw/picard-code-signing (access is restricted, but @zas has access).

The necessary client secrets AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_ENDPOINT, AZURE_CODE_SIGNING_NAME and AZURE_CERT_PROFILE_NAME are all configured.

Actions

Once this has been merged and backported to 2.x the secrets CODESIGN_P12_URL and CODESIGN_P12_PASSWORD can be removed from the repo, together with the P12 certificate file on the storage.

Update: Already done, code signing wasn't functional anyway and without the variables it isn't performed.

@phw phw requested a review from zas December 5, 2024 20:40
@phw phw force-pushed the PICARD-3002-windows-trusted-signing branch 2 times, most recently from a3e74c8 to 07f2b2c Compare December 6, 2024 07:32
@phw phw added the Picard 3.x label Dec 6, 2024
@phw phw force-pushed the PICARD-3002-windows-trusted-signing branch from 07f2b2c to 303950f Compare December 6, 2024 07:44
Copy link
Collaborator

@zas zas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@phw phw merged commit fed0f4f into metabrainz:master Dec 6, 2024
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants