Codechange: [CI] Use Azure Code Signing for Windows build #12292
Conversation
As if by magic, MS have just sent an invitation to a call next week where they are announcing a Public Preview, plus pricing details and so on. I'll hopefully be able to attend and find out more then. |
TrueBrain
changed the title
orudge
force-pushed
the
azure-code-signing
branch
2 times, most recently
from
901a11f
to
42f64af
Compare
os/windows/sign_azure.ps1
Outdated
| "The required environment variables have not been set up. Please check the script source for details." | ||
| "Skipping signing." |
There was a problem hiding this comment.
| "The required environment variables have not been set up. Please check the script source for details." | |
| "Skipping signing." | |
| "Codesigning variables not found; most likely running in a fork. Skipping signing." |
TrueBrain
added
the
backport requested
orudge
force-pushed
the
azure-code-signing
branch
from
42f64af
to
7ef1495
Compare
|
For the historical record, I attended a meeting with Microsoft today regarding the public preview and eventual production release of the Azure Code Signing service. This included information on pricing, and while I don't know that I'm at liberty to share that information at this time, I can confirm that it should be quite affordable for us (and certainly cheaper than an EV code signing certificate and so on). |
rubidium42
added
backported
Motivation / Problem
Our current code signing certificate is due for renewal in a few months, and due to recent policy changes by the Certificate Authority cabal, you now need to store a certificate on a pricey hardware dongle or a certified HSM vault. For something compatible with GitHub Actions, we'd probably need to use an Azure HSM vault, but would still need to pay several hundred GBP per year for a certificate, a considerable increase compared with what we've got just now.
However, the good folks at ImageMagick alerted me to a preview programme Microsoft is running, called Azure Code Signing. This offers a more Mac-like solution, with Microsoft providing a code signing certificate. I applied for us to join their preview programme, and was accepted. Currently, the preview is free; it's not yet clear when this will become generally available or what pricing may be involved, but one would hope it'll be considerably cheaper than the alternatives.
Description
This PR adds support for Azure Code Signing to the build process. To keep things fairly simple, I've created a
sign_azure.batscript that acts as an alternative forsign.bat(which is called within the CMake process). Microsoft does offer a GitHub Action for Azure Code Signing, but that would involve a bit more surgery. (If we'd rather do things that way, however, it's certainly possible.) CMake will choose which code signing method to use based upon which environment variables are defined, as somebody might want to fork OpenTTD and sign it with a traditional certificate perhaps.The actual code signing is performed via a PowerShell script. Microsoft takes a checksum of the binary, uploads it to Azure, where a signature is generated and returned (so the binaries themselves are not transferred). We don't get access to the actual certificate (which is valid for only 3 days before being regenerated automatically).
Limitations
If a user happens to be using an older version of Windows that hasn't been kept up-to-date, they may receive a certificate warning as the certification authority root certificate dates back to 2020 and has only been included in Windows for a couple of years. It's quite possible this would happen with other recent code signing certificates anyway, though.
The Azure client secret is valid for a maximum of 2 years, so will need to be regenerated and updated in the GitHub secrets store periodically.
Checklist for review
Some things are not automated, and forgotten often. This list is a reminder for the reviewers.