Introduce release signing action #328
Conversation
Assists with FiloSottile#326.
|
This is great, thank you! Do you know if I need a regular or EV certificate to make Windows happy?
… On Sep 9, 2021, at 13:18, Joshua Small ***@***.***> wrote:
This action allows a fix #326.
This script detects release actions and makes no change to the process on standard push events. You can see it produced a release signed with my key here:
https://github.com/technion/age/releases/download/v2.5/age-v2.5-windows-amd64.zip
You can see here that the signature validates and the code runs on my locked down environment, with no Windows Smartscreen warnings or other difficulties:
I've run this script through Shellcheck - it complains because it doesn't understand the Github variable templating but I made sure no other significant issues were presented.
To operate this action, you will need to setup the following Github secrets for the certificate:
I wasn't able to avoid writing the certificate to disk, but I made an effort to delete it as soon as it's used, and it's never accessed in plaintext as the action is designed to require a pass key. It also obtains a timestamp signature so you could consider short term keys and produce long term accepted signatures.
You can view, comment on, or merge this pull request online at:
#328
Commit Summary
Introduce release signing action
File Changes
M .github/workflows/build.yml (15)
Patch Links:
https://github.com/FiloSottile/age/pull/328.patch
https://github.com/FiloSottile/age/pull/328.diff
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
|
|
It's my understanding the use of an EV certificate is only a requirement for applications that load as drivers. My own certificate was the cheapest one I could find online. There are unfortunately different grades of "Windows happy", if you look at this workflow: https://www.theregister.com/2020/06/05/windows_10_microsoft_defender_smartscreen/ Signing it should get it down to one blue popup, and beating that is part an AI signalled on age and and install base. Edit: Just adding code signing EV certs, as far as I'm aware, are only available with hardware tokens and thus won't be able to be used with any automated deployment unless you own the build infrastructure. |
|
Great, I think I paid and requested a certificate from some cheap reseller. I have approximately no trust in their technical competence, for example because the OrganizationUnit was mandatory and because the minimum key size was 2048 while apparently 3072 is required these days, but maybe they will get me a certificate! |
|
Many thanks for that!
|
|
I think it works! Mind trying the binaries in https://github.com/FiloSottile/age/suites/3945491495/artifacts/98935602? |
|
Looks great to me. Runs without warnings. |
|
Awesome, merged, thank you! |
This action allows a fix #326.
This script detects release actions and makes no change to the process on standard push events. You can see it produced a release signed with my key here:
https://github.com/technion/age/releases/download/v2.5/age-v2.5-windows-amd64.zip
You can see here that the signature validates and the code runs on my locked down environment, with no Windows Smartscreen warnings or other difficulties:
I've run this script through Shellcheck - it complains because it doesn't understand the Github variable templating but I made sure no other significant issues were presented.
To operate this action, you will need to setup the following Github secrets for the certificate:
I wasn't able to avoid writing the certificate to disk, but I made an effort to delete it as soon as it's used, and it's never accessed in plaintext as the action is designed to require a pass key. It also obtains a timestamp signature so you could consider short term keys and produce long term accepted signatures.