New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Codechange: [CI] Use Azure Code Signing for Windows build #12292
Conversation
As if by magic, MS have just sent an invitation to a call next week where they are announcing a Public Preview, plus pricing details and so on. I'll hopefully be able to attend and find out more then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Some minor stuff to tidy things up a bit :)
Owh, and we should definitely wait for the pricing announcement, just so we know what we are getting ourselves into :)
901a11f
to
42f64af
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! One minor thing :)
os/windows/sign_azure.ps1
Outdated
"The required environment variables have not been set up. Please check the script source for details." | ||
"Skipping signing." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The required environment variables have not been set up. Please check the script source for details." | |
"Skipping signing." | |
"Codesigning variables not found; most likely running in a fork. Skipping signing." |
42f64af
to
7ef1495
Compare
For the historical record, I attended a meeting with Microsoft today regarding the public preview and eventual production release of the Azure Code Signing service. This included information on pricing, and while I don't know that I'm at liberty to share that information at this time, I can confirm that it should be quite affordable for us (and certainly cheaper than an EV code signing certificate and so on). |
Motivation / Problem
Our current code signing certificate is due for renewal in a few months, and due to recent policy changes by the Certificate Authority cabal, you now need to store a certificate on a pricey hardware dongle or a certified HSM vault. For something compatible with GitHub Actions, we'd probably need to use an Azure HSM vault, but would still need to pay several hundred GBP per year for a certificate, a considerable increase compared with what we've got just now.
However, the good folks at ImageMagick alerted me to a preview programme Microsoft is running, called Azure Code Signing. This offers a more Mac-like solution, with Microsoft providing a code signing certificate. I applied for us to join their preview programme, and was accepted. Currently, the preview is free; it's not yet clear when this will become generally available or what pricing may be involved, but one would hope it'll be considerably cheaper than the alternatives.
Description
This PR adds support for Azure Code Signing to the build process. To keep things fairly simple, I've created a
sign_azure.bat
script that acts as an alternative forsign.bat
(which is called within the CMake process). Microsoft does offer a GitHub Action for Azure Code Signing, but that would involve a bit more surgery. (If we'd rather do things that way, however, it's certainly possible.) CMake will choose which code signing method to use based upon which environment variables are defined, as somebody might want to fork OpenTTD and sign it with a traditional certificate perhaps.The actual code signing is performed via a PowerShell script. Microsoft takes a checksum of the binary, uploads it to Azure, where a signature is generated and returned (so the binaries themselves are not transferred). We don't get access to the actual certificate (which is valid for only 3 days before being regenerated automatically).
Limitations
If a user happens to be using an older version of Windows that hasn't been kept up-to-date, they may receive a certificate warning as the certification authority root certificate dates back to 2020 and has only been included in Windows for a couple of years. It's quite possible this would happen with other recent code signing certificates anyway, though.
The Azure client secret is valid for a maximum of 2 years, so will need to be regenerated and updated in the GitHub secrets store periodically.
Checklist for review
Some things are not automated, and forgotten often. This list is a reminder for the reviewers.