docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon mattermost

Help Wanted: Document how to codesign a build with you own certificates

Open matterdoc opened this issue 5 years ago • 9 comments

Context

The Mattermost Product Documentation doesn't currently include details on how to code sign a build with a user's own certificates.

Code signing is the process of digitally signing software to verify the author's identity and ensure the code hasn't been altered since it was signed. It involves creating a digital signature using a private key and a hash of the code, then attaching this signature and a digital certificate to the software.

Benefits

  • Reduces security warnings from operating systems.
  • Ensures smoother and more trustworthy installations.

Process Outline

  1. Generate a hash of the code.
  2. Sign the hash with a private key, creating a digital signature.
  3. Attach the signature and digital certificate to the software.
  4. Verification: When run, the software's signature is checked using a public key to confirm authenticity and integrity

Documentation Request

Document how to code sign a build with you own certificates for a custom Mattermost build. Include process steps for all supported platforms, including: Windows, Mac, and Linux.

Here's a step-by-step guide on how to code sign a custom Mattermost build with your own certificates for Windows, Mac, and Linux as noted below.

General note for all platforms:

Ensure you follow each operating system's guidelines and best practices for signing applications to maintain security and trustworthiness for your custom Mattermost build.

Windows

Prerequisites:

  1. Code Signing Certificate: Either purchase one from a Certificate Authority (CA) or use a self-signed certificate if appropriate.
  2. SignTool: This is part of the Windows SDK.

Steps:

  1. Install SignTool: Install the Windows SDK to get the SignTool utility.
  2. Obtain a Code Signing Certificate:
    • Purchase or create a certificate (.pfx file) via a CA.
  3. Import the Certificate:
    • Open the .pfx file and follow the steps to import it into the Windows Certificate Store.
  4. Sign the Executable:
    • Open the command prompt as Administrator.
    • Use the SignTool to sign your executable: 
      signtool sign /v /s "My" /sha1 <cert hash> /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 <path-to-your-executable>

Mac

Prerequisites:

  1. Developer ID Application Certificate: Purchase one from Apple (requires an Apple Developer account).
  2. Xcode: Make sure you have Xcode installed.

Steps:

  1. Obtain a Code Signing Certificate:

    • Go to Apple Developer account, create a Developer ID Application certificate, and download it.

  2. Import the Certificate:

    • Double-click the certificate to import it into the Keychain.

  3. Sign the Application:

    • Use the codesign tool, which comes with Xcode, to sign your application: 
      codesign --deep --force --verify --verbose --sign "Developer ID Application: Your Name (TeamID)" /path/to/your.app

  4. [Optional] Verify the Signature:

    • Verify the signature to ensure everything is correctly signed: 
      spctl --assess --verbose=4 /path/to/your.app
codesign -dv --verbose=4 /path/to/your.app

Linux

Prerequisites:

  1. GPG Key: Create a GPG key if you don't have one.
  2. GnuPG: Install GnuPG if not already installed.

Steps:

  1. Create or Import Your GPG Key:

    • If you don't already have a GPG key, create one: 
      gpg --full-generate-key
    • Import an existing GPG key, if you have one: 
      gpg --import /path/to/your-key.asc

  2. Sign the Package:

    • Use dpkg-sig to sign a Debian package: 
      dpkg-sig --sign builder your-package.deb
    • Use rpmsign to sign an RPM package: 
      rpmsign --addsign your-package.rpm

  3. Verify the Signature:

    • Verify the signature of a .deb package: 
      dpkg-sig --verify your-package.deb
    • Verify the signature of an .rpm package: 
      rpm --checksig your-package.rpm

Summary:

  • Windows: Use SignTool from the Windows SDK with your imported code signing certificate.
  • Mac: Use codesign and spctl tools from Xcode with your Apple Developer ID certificate.
  • Linux: Use GnuPG to create/sign with your GPG key, dpkg-sig for .deb packages, and rpmsign for .rpm packages.

matterdoc avatar Aug 27 '20 13:08 matterdoc

I am a beginner in open source and would like to contribute to this issue. Pl assign this issue

Lorem703 avatar Oct 06 '20 15:10 Lorem703

Hi @Lorem703! Thank you for your interest in this issue. I have assigned it to you as requested. :) Please let me know if you have any questions.

justinegeffen avatar Oct 12 '20 18:10 justinegeffen

Hello is this issue still available to work on ? As I am new to opensource and I would like to contribute to the documentation part of mattermost/docs. Thanks

yash2189 avatar Oct 21 '20 09:10 yash2189

Hi @yash2189. Thanks for your offer! @Lorem703, are you currently working on this? :)

justinegeffen avatar Oct 21 '20 09:10 justinegeffen

@justinegeffen Is this issue resolved or can it be taken?

yash2189 avatar Oct 28 '20 15:10 yash2189

Hi @yash2189. It has not yet been resolved so I am happy to reassign it to you and take it off @Lorem703's plate. @Lorem703, thank you for your offer to take this on. Looking forward to working with you in the future! :)

justinegeffen avatar Oct 28 '20 15:10 justinegeffen

@justinegeffen I wish to contribute to this issue post the Hacktoberfest if that is fine?

yash2189 avatar Oct 30 '20 21:10 yash2189

@Willyfrog - I'm unable to access the original Mattermost thread and context behind this docs request. Can you summarize the request here, please?

cwarnermm avatar Jan 18 '22 14:01 cwarnermm

I'm unable to access the original Mattermost thread and context

That's weird as that thread is in a public channel.

What needs to be documented is the process to codesign a build with you own certificates in case someone wants to do a custom build.

Willyfrog avatar Jan 18 '22 16:01 Willyfrog