Skip to content

Create a windows code signing infrastructure for OpenJS projects #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ryanaslett opened this issue Jan 9, 2025 · 9 comments
Open

Create a windows code signing infrastructure for OpenJS projects #24

ryanaslett opened this issue Jan 9, 2025 · 9 comments
Assignees
@ryanaslett
Labels
🙅 Blocked 😻 Program Management

Comments

@ryanaslett
Copy link
Collaborator

Multiple projects need to have the ability to sign their binaries so that they can run directly on windows.

Currently, Electron and NodeJS each have their own certificate, but those are extremely expensive.

Appium would also like to sign their binaries and we're exploring a process to use the azure trusted code signing mechanism.
@ryanaslett
Copy link
Collaborator Author

Updated the support request today. Lets hope we can figure out why Azure is not sending us validation emails.

@ryanaslett
Copy link
Collaborator Author

@bensternthal I'd like to investigate our side of the email deliverability, do we have any credentials for mailgun for openjsf.org ?

`Image

There might be something catching spam at that level preventing microsoft from sending the validation emails.

@ryanaslett
Copy link
Collaborator Author

Azure support did not respond to my support request re-open or to the information we have provided.

@ryanaslett
Copy link
Collaborator Author

Azure has been responsive, and now we have some more to go on to help troubleshoot.

I've escalated this to dnsimple hoping to find if they are rejecting the emails from microsoft.

@bensternthal
Copy link
Contributor

  1. Azure identity is now setup
  2. Now we need to go through configuration and setup so that someone with GHA can connect to trusted signing service
  3. Once thats done we can work with folks to test

@bensternthal bensternthal moved this from In Progress to Backlog in OpenJS Infrastructure Project Board Jan 28, 2025
@bensternthal
Copy link
Contributor

@ryanaslett will pair with @felixrieseberg

@bensternthal bensternthal moved this from Backlog to In Progress in OpenJS Infrastructure Project Board Mar 25, 2025
@ryanaslett
Copy link
Collaborator Author

Azure Trusted signing is now established and we can use this for both Github Actions signing as well as embedded within Electron-build, and we'll be able to use this for the upcoming NodeJS changes for their signing which has about 70 days left worth of signatures.

I've handed over some secrets to the Appium Developer (Jonathan Lipps) To add to his GHA workflow and he'll let us know if there's any issues.

@bensternthal
Copy link
Contributor

Blocked on @jlipps implementing and verifying this works correctly.

@ryanaslett
Copy link
Collaborator Author

Nodejs is going to be using this too now,

The account and secrets are all set up.

The release machine (ci-release.nodejs.org) will distribute the secrets in the environment to the build.

The secrets are also in the secrets repository available for testing.

@StefanStojanovic should have the next steps to get this working for NodeJS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryanaslett ryanaslett

Labels
🙅 Blocked 😻 Program Management
Projects
OpenJS Infrastructure Project Board
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryanaslett @bensternthal