velopack icon indicating copy to clipboard operation
velopack copied to clipboard
Published 2 months ago verified publisher icon velopack

Implemented code signing parameter for Azure Trusted Signing

Open madorjan opened this issue 1 year ago • 1 comments

Implemented a parameter for trusted signing as suggested here

https://github.com/velopack/velopack/issues/142

To discuss:

  • How to reference Azure.CodeSigning.Dlib? Using https://www.nuget.org/packages/Microsoft.Trusted.Signing.Client?
  • Timestamp server + algorithms configurable or hard coded?

madorjan avatar Sep 30 '24 13:09 madorjan

For loading up the Azure.CodeSigning.Dlib I think going through the NuGet package is probably simplest.

We do have code in NugetDownloader.cs which is capable of downloading a NuGet to disk already. That could be moved from Vpk project to Packaging project and used on-demand to download the Dlib package when the az trusted signing is used. We should probably just download it once / the first time it's used and cache it somewhere (maybe beside vendor folder?)

caesay avatar Oct 01 '24 12:10 caesay

Codecov Report

Attention: Patch coverage is 15.09434% with 45 lines in your changes missing coverage. Please review.

Project coverage is 39.11%. Comparing base (de0b48b) to head (55a2821).

Files with missing lines Patch % Lines
...aging.Windows/Commands/WindowsPackCommandRunner.cs 14.28% 29 Missing and 1 partial :warning:
...rc/vpk/Velopack.Packaging/NuGet/NuGetDownloader.cs 0.00% 7 Missing :warning:
...rc/vpk/Velopack.Vpk/Commands/WindowsPackCommand.cs 0.00% 5 Missing :warning:
src/vpk/Velopack.Packaging.Windows/CodeSign.cs 0.00% 2 Missing :warning:
src/vpk/Velopack.Vpk/Updates/UpdateChecker.cs 0.00% 1 Missing :warning:
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop     #249      +/-   ##
===========================================
- Coverage    47.31%   39.11%   -8.20%     
===========================================
  Files          220      219       -1     
  Lines        12946    12963      +17     
  Branches      1226     1203      -23     
===========================================
- Hits          6125     5071    -1054     
- Misses        6506     7593    +1087     
+ Partials       315      299      -16

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Oct 14 '24 05:10 codecov[bot]

Thanks for continuing this pull request. Unfortunately, I haven't had time recently ...

Any idea how to fix the signtool versioning issue in the long-term? Maybe, we have to download the latest "Microsoft.Windows.SDK.BuildTools" via the NugetDownloader too, to ensure that we always have the latest versions of signtool.exe and dlib.dll?

madorjan avatar Oct 14 '24 06:10 madorjan

No problem, I appreciate you getting the ball rolling for this.

For the SignTool.exe that is an ongoing discussion. At least at present, the current version that is in vpk meets the minimum requirements. There are some ongoing discussions on how to best handle the versioning of these. This is just the first step to get it working. Technically Dlib still has the same versioning problem as it only downloads when the dll is not present. So for persistent systems (like dev boxes) it will only download once and wont update it again.

I think we will need to provide some mechanism to make it easy for people to "get latest" or "get version" (for both Dlib and signtool).

Keboo avatar Oct 14 '24 15:10 Keboo

Superseded by #330

caesay avatar Nov 07 '24 21:11 caesay