talos
talos copied to clipboard
siderolabs
digitally sign Windows downloads of talosctl
Feature Request
digitally sign the talosctl executable for Windows to help build reputation so SmartScreen and similar download screening can build reputation around a SideroLabs signing certificate instead of the current state of treating the downloads independently which means new version have no reputation and get treated as suspicious and made hard to download in browser.
Description
Frequently talosctl downloads will trigger initial SmartScreen blocking.
Omnictl has similar issues and a feature request was opened for it as well.
We plan on doing this at some point as we're getting the chocolaty repo transferred to siderolabs so we can properly release it in that repo.
A helpful walkthrough on how we can do it with GitHub CI
https://federicoterzi.com/blog/automatic-codesigning-on-windows-using-github-actions/
@rothgar I got properties added to the omnictl Windows binary with the bulk of the change in Dockerfile. Since Dockerfile is generated though, I need to figure out the kres stuff and figure out where/how to adjust that. I'm sure similar adjustment would be needed for the signing too. That's in pull request draft https://github.com/siderolabs/omni/pull/667
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.