Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows build fails to sign the application #4243

Open
3 tasks
marstamm opened this issue Apr 15, 2024 · 6 comments
Open
3 tasks

Windows build fails to sign the application #4243

marstamm opened this issue Apr 15, 2024 · 6 comments
Assignees
@marstamm @barmac
Labels
infrastructure ready Ready to be worked on

Comments

@marstamm
Copy link
Member

marstamm commented Apr 15, 2024
edited by barmac

What should we do?

Update our Certificates we use to sign the application during the build process. The windows certs expired on Apr 11.

cf. https://github.com/camunda/camunda-modeler/actions/runs/8681071392

Why should we do it?

To ensure we can release the camunda modeler on windows
@barmac barmac added the ready Ready to be worked on label Apr 15, 2024
@nikku
Copy link
Member

nikku commented Apr 15, 2024

As part of this change we want to migrate the certificate handling over to vault (cf. https://github.com/bpmn-io/internal-docs/issues/802).

@nikku
Copy link
Member

nikku commented Apr 15, 2024

Reached out to internally (IT) for further investigation.

@nikku
Copy link
Member

nikku commented Apr 22, 2024

Shared updated certificate with @marstamm; you should now be unblocked to work on this issue.

@nikku
Copy link
Member

nikku commented Apr 24, 2024
edited

Cross-posting my assessment (yesterday) here:

Status update (quick check with Tim):

There is new restrictions to work with code signing certificates, effectively enabled with June 1, 2023
Code signing can only happen via dedicated signing APIs (similar to MacOS notarization) > and/or via hardware tokens

  • We ordered a hardware token which is not usable for our cases (CI/CD-based code signing)
  • We need to investigate (ref) how to do signing on our CI using the newly enforced restrictions

Let's look into the linked material as well as the electron builder docs to figure out what we need to change.
At the moment I see the next release slightly at risk, but then again it is just a minor we can skip or postpone (for Windows).

@marstamm marstamm mentioned this issue Apr 29, 2024
Draft
@marstamm
Copy link
Member Author

marstamm commented Apr 29, 2024
edited

Summary update from internal Slack:

  • The main problem we are facing is the increased security standards for storing the private keys. We will move to a cloud based certificate provider (DigiCert) and kicked of the purchasing process
  • Until then and as fallback, signing is a manual step using the hardware token on a local machine

marstamm added a commit that referenced this issue Apr 29, 2024
@marstamm
chore(CI): do not sign windows app
7d3694a 
This ensures we can build windows releases until a solution for #4243 is integrated.
@marstamm marstamm mentioned this issue Apr 29, 2024
Merged
barmac pushed a commit that referenced this issue Apr 29, 2024
@marstamm @barmac
chore(CI): do not sign windows app
446ce0e 
This ensures we can build windows releases until a solution for #4243 is integrated.
@marstamm
Copy link
Member Author

marstamm commented May 6, 2024

[Update] We disabled Code signing on Windows for now. @philippfromme has the physical token for backup signing. DigiCert purchase is still in progress

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marstamm marstamm

@barmac barmac

Labels
infrastructure ready Ready to be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nikku @marstamm @barmac