Sign EXE installers on Windows#874
Conversation
|
tests fail |
I'm porting things from conda/conda-launchers#24, and I also need to bring the secrets over. I'll ping the team once ready, sorry for the noise. |
|
Well, that took fewer attempts than expected 😂 Wanna take a look @isuruf? Also broader ping to @conda-forge/miniforge. Once everyone's happy with the results, I'll move the secrets to |
| - name: Verify signatures (Windows) | ||
| if: startsWith(matrix.TARGET_PLATFORM, 'win-') | ||
| # && github.event_name != 'pull_request' | ||
| # && startsWith(github.ref, 'refs/tags/') | ||
| shell: pwsh | ||
| run: | | ||
| $exitCode = 0 | ||
| foreach ($executable in (Get-ChildItem "build/*.exe")) { | ||
| Write-Host "******************************************" | ||
| Write-Host $executable.Name | ||
| Write-Host "******************************************" | ||
| $sig = Get-AuthenticodeSignature -FilePath $executable.FullName | ||
| $sig | Format-List * | Out-String | Write-Host | ||
| if ($sig.Status -ne 'Valid') { | ||
| Write-Error "CRITICAL: Signature verification failed for $($executable.Name)!" | ||
| $exitCode = 1 | ||
| } | ||
| } | ||
| exit $exitCode | ||
|
|
||
| - name: Regenerate SHA256 files after signing (Windows) | ||
| if: startsWith(matrix.TARGET_PLATFORM, 'win-') | ||
| # && github.event_name != 'pull_request' | ||
| # && startsWith(github.ref, 'refs/tags/') | ||
| shell: pwsh | ||
| run: | | ||
| foreach ($executable in (Get-ChildItem "build/*.exe")) { | ||
| $hashObject = Get-FileHash $executable.FullName | ||
| "$($hashObject.Hash.ToLower()) $($executable.Name)" | Out-File -FilePath "$($executable.FullName).sha256" | ||
| Write-Host "SHA256($($executable.Name)): $($hashObject.Hash.ToLower())" | ||
| } |
There was a problem hiding this comment.
Move this code to scripts/check_signatures.ps1 ?
Should we do it for main too? Then the published artifacts from main can be used and also let us know if something breaks with signing before we do a release. |
NumFOCUS has a limited quota for how many artifacts can be signed per month, so we should try to only use when needed. There's an option for dev certificates meant to be used in this case but I haven't checked those with Arliss yet. We can check that in the future but I don't think it should hold this back. Edit: Scratch that, the dev certificates ("Public Trust Test") do count towards the quota, so there's nothing to gain from that. I guess we can either publish RCs first, or YOLO it with crossed fingers 😬 |
|
Sounds good. Can you undo the non windows changes and add the code to make it run on release only? |
|
(Ill let you two help on windows. I have no opinion) |
Closes #201