Skip to content

Sign EXE installers on Windows#874

Merged
jaimergp merged 9 commits into
mainfrom
sign-windows
May 11, 2026
Merged

Sign EXE installers on Windows#874
jaimergp merged 9 commits into
mainfrom
sign-windows

Conversation

@jaimergp

@jaimergp jaimergp commented May 8, 2026

Copy link
Copy Markdown
Member

Closes #201

@jaimergp jaimergp requested a review from a team as a code owner May 8, 2026 16:27
@isuruf

isuruf commented May 8, 2026

Copy link
Copy Markdown
Member

tests fail

@jaimergp

jaimergp commented May 8, 2026

Copy link
Copy Markdown
Member Author

tests fail

I'm porting things from conda/conda-launchers#24, and I also need to bring the secrets over. I'll ping the team once ready, sorry for the noise.

@jaimergp

jaimergp commented May 8, 2026

Copy link
Copy Markdown
Member Author

Well, that took fewer attempts than expected 😂 Wanna take a look @isuruf? Also broader ping to @conda-forge/miniforge.

Once everyone's happy with the results, I'll move the secrets to conda-forge/infrastructure, reenable the other CI entries and enable the signing pipeline only for releases.

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +176 to +206
- name: Verify signatures (Windows)
if: startsWith(matrix.TARGET_PLATFORM, 'win-')
# && github.event_name != 'pull_request'
# && startsWith(github.ref, 'refs/tags/')
shell: pwsh
run: |
$exitCode = 0
foreach ($executable in (Get-ChildItem "build/*.exe")) {
Write-Host "******************************************"
Write-Host $executable.Name
Write-Host "******************************************"
$sig = Get-AuthenticodeSignature -FilePath $executable.FullName
$sig | Format-List * | Out-String | Write-Host
if ($sig.Status -ne 'Valid') {
Write-Error "CRITICAL: Signature verification failed for $($executable.Name)!"
$exitCode = 1
}
}
exit $exitCode

- name: Regenerate SHA256 files after signing (Windows)
if: startsWith(matrix.TARGET_PLATFORM, 'win-')
# && github.event_name != 'pull_request'
# && startsWith(github.ref, 'refs/tags/')
shell: pwsh
run: |
foreach ($executable in (Get-ChildItem "build/*.exe")) {
$hashObject = Get-FileHash $executable.FullName
"$($hashObject.Hash.ToLower()) $($executable.Name)" | Out-File -FilePath "$($executable.FullName).sha256"
Write-Host "SHA256($($executable.Name)): $($hashObject.Hash.ToLower())"
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move this code to scripts/check_signatures.ps1 ?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See 3c909d7

@isuruf

isuruf commented May 8, 2026

Copy link
Copy Markdown
Member

enable the signing pipeline only for releases.

Should we do it for main too? Then the published artifacts from main can be used and also let us know if something breaks with signing before we do a release.

@jaimergp

jaimergp commented May 8, 2026

Copy link
Copy Markdown
Member Author

Should we do it for main too?

NumFOCUS has a limited quota for how many artifacts can be signed per month, so we should try to only use when needed. There's an option for dev certificates meant to be used in this case but I haven't checked those with Arliss yet. We can check that in the future but I don't think it should hold this back.

Edit: Scratch that, the dev certificates ("Public Trust Test") do count towards the quota, so there's nothing to gain from that. I guess we can either publish RCs first, or YOLO it with crossed fingers 😬

@jaimergp jaimergp mentioned this pull request May 8, 2026
1 task
@isuruf

isuruf commented May 8, 2026

Copy link
Copy Markdown
Member

Sounds good. Can you undo the non windows changes and add the code to make it run on release only?

@hmaarrfk

hmaarrfk commented May 9, 2026

Copy link
Copy Markdown
Contributor

(Ill let you two help on windows. I have no opinion)

@jaimergp jaimergp merged commit ab2e73c into main May 11, 2026
16 checks passed
@jaimergp jaimergp deleted the sign-windows branch May 11, 2026 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants