Task: Migrate Espanso project from Federico's code signing key #1928
Comments
|
Thank you for submitting the issue and leading the investigation! 🚀 . For context, here is the link to the message in discord where it describes what you have found: quote...
...and quote! Now, I'm completely new to code signing, so maybe this is a silly question. With my googling I found that there are "less strong" type of signatures, (for example from GitHub, who doesn't sign the executable, but the package release). And Windows/Mac signatures are for verified developers that want to publish to Microsoft Store / App Store. |
|
I'm still researching, so this could be wrong, but my understanding is that, in addition to being a requirement for the App Stores, app signing also has the following features (on both Windows and Mac):
As I mentioned, I'm still researching, so that might not all be correct, but that's my understanding so far |
Oh, that's right! I forgot about that because I use a kinda friendly VPN (for now). My guess is that probably many users use espanso to write down forms and respond emails, which usually pollute work computers, not home computers |
|
I would like to help here! I spent months learning the basics of this process and eventually got a fully automated macOS signing process working for Quicksilver. I was actually brought into the QS team in large part for this exact purpose. On mobile now but will link to the relevant GitHub Actions stuff soon. The only part I didn't set up personally was the acquisition of the signing certificate itself. I know that it does cost $100 per year, and as far as I'm aware there is no way to provide a first-class experience on macOS (just downloading a dmg of a .app that runs without warnings or awkward workarounds) without paying for this certificate. If unwilling to pay for the macOS developer certificate, the next best approach IMO is using something like nix (my preference) or homebrew that effectively builds the project from source on the user's computer and then signs it locally using an "ad hoc" signature that is only valid on that specific device, but frankly this is not much better end-user experience than telling them to "just clone the repo and use cargo." |
|
We welcome your know-how in a heavenly way! Almost everybody except federico has null experience on signatures ❤️ , we are learning by doing.
One question that I have is: is it possible to sign the code as an organization? does that cost the same as the 100$ per year license? or is it another license? |
|
Awesome. For the big picture overview, here's the GitHub Action that does the bulk of the signing and notarization: https://github.com/quicksilver/Quicksilver/blob/main/.github/workflows/ci.yml We keep the following "Organization secrets" stored as GitHub Actions secrets, which allows the action above to access them in CI, but does a good job hiding any of their content in the build logs:
In short, the idea is to have the developer certificate content stored as a base64-encoded value, and do something like $ keyfile=/tmp/key
$
$ # "belt and suspenders" delete on exit (including errors)
$ trap "rm -f $keyfile" EXIT
$
$ echo "$CONTENT" | base64 -d > "keyfile"
$
$ # import the key into the macOS keychain and use for signing
$
$ # delete as soon as possible
$ rm -f $keyfileFor your questions, I'm not much of an authority on this, as our development certificate for Quicksilver is owned by one of the other devs. AFAIK:
|
|
Thank you! that's really clear ❤️ |
In order to allow more timely releases, we need to migrate code signing away from Federico's private key(s) and instead switch to key(s) belonging to the project as a whole. This issue is for researching and tracking that work
The text was updated successfully, but these errors were encountered: