MediaWriter icon indicating copy to clipboard operation
MediaWriter copied to clipboard
verified publisher icon FedoraQt

New signing process for windows builds

Open humaton opened this issue 2 years ago • 4 comments

Hi,

thanks to changes in PKI Industry new requirement is to store code signing certs on FIPS compatible devices. This happened just before our certificate expired.

We have a couple of options for how to approach this but, we will need to change the build and sign process for Windows binaries.

1, keep the process more or less the same but some changes to the build scripts will be required to use the pkcs 11 library. I am not sure how to approach this solution my knowledge of compiled languages is limited.

2, move the Windows build and sign process to the AWS Windows instances, this will require some refactoring on the build side and new ansible roles in fedora-infra. I can help here with provisioning the machine and ansible changes. This will use MS sign tool

humaton avatar Sep 13 '23 09:09 humaton

Honesly, I'm completely lost here.

Can we still use osslsigncode sign but just using pkcs11 instead?

grulja avatar Sep 18 '23 08:09 grulja

Reference for myself: Check what Podman Desktop is doing.

Link: https://github.com/containers/podman-desktop/tree/main/.github/workflows.

grulja avatar Oct 05 '23 09:10 grulja

People from Podman Desktop paid for their own certificates because it was not possible to make use of Fedora/RedHat certificates as there was no infrastructure for that.

It also look we are not alone with this problem, see ImageMagick discussion: https://github.com/ImageMagick/ImageMagick/discussions/6826

grulja avatar Nov 01 '23 07:11 grulja