Package curl for Windows in a signed installer

[bitcrazed]

Hi. PM on Windows Dev Platform here. Wasn't sure if this was a discussion or an issue, so posted here.

We're working on some "new & improved things" that would benefit from apps and tools like curl being signed & distributed via a signed installer package (MSI/MSIX), including:

• A simplified process for installing apps and tools on Windows
• Improve perf by minimizing number and frequency of scans by anti-malware tools like Defender

Have/would you consider:

1. Signing curl binaries with a cert chained to a CA?
2. Bundling curl outputs in a signed installer package?
3. Distributing curl installer packages for Windows?

[jay]

Note there are already official builds for Windows and as I'm sure you are aware Microsoft has its own build and has been including curl with Windows 10, but it may be somewhat limited compared to the official version.

/cc @vszakats

[vszakats]

We've once made a try with code-signing our official build, but the process ended up failing when the certificate generation required a weird combination of obsolete IE version running on a specific Windows OS version, with some specific configuration (or some such.) So after a few days of futile efforts, we had to give it up.

Having said that, the technical part of code signing is in place and the builds are shipping with a self-signed (~dummy) certificate for now.

As for MSI/MSIX, with external help it probably can be added, but since the curl-for-win build is running and tested under Linux/macOS, we need tools that run under these operating systems. Or alternatively, split off the process from the main build and generate these in a second pass on native Windows, perhaps via a GitHub Action.

[mback2k]

I am using a private certificate CodeSigning certificate from DigiCert to sign my (currently internal) builds. I would be open for sponsoring the code signing, but it would have to be done via separate (automated) step that I control due to the certificate requiring protection which CIs cannot provide.

@bagder maybe it would also be an option to use curl's funds to get a dedicated code signing certificate? Unfortunately DigiCert no longer provides a discount for Microsoft code signing:
https://news.ycombinator.com/item?id=21613811

[bitcrazed]

Hey @jay - yep, I work on the team that now owns the build of Curl built-in to Windows 😁

What I couldn't reveal until today is that today, we announced the first preview of a package manager for Windows. Yes ... I know ... it's 2020, why didn't this happen 10+ years ago ... couldn't agree more 😜

@vszakats - LOVE your idea re. Github action or similar for signing binaries and generating the signed Windows installation package. Could even perhaps consider doing similar for various Linux packages?

@mback2k and/or @bagder - Would you mind emailing me at richturn at you know where dotcom. Have some ideas to discuss in a little more in detail.

[bagder]

@mback2k: it was never a question of money, @vszakats struggled to make it happen. We wouldn't hesitate to spent money on this or ask for sponsors - if that would unblock something.

[mback2k]

I can try to solve the issues related to code signing. I have been doing this in my own CI for many years. I guess using some Windows CI step for this in the curl-for-win repository would be a starting point.

[vszakats]

@mback2k I meant to split off the MSI/MSIX generation only, due to the assumption that the necessary tooling is Windows-only (which I'm not 100% sure of, but it looked like it at a quick glance).

The tooling to sign .exe/.dll binaries under *nixy operating systems is already in place (via a custom-patched build of osslsigncode, which patch was subsequently upstreamed to the tool's active fork), so I see no pressing technical reason to move this step to a separate CI session. Likely can be done, but I'm not sure the benefits outweight the efforts/risks. (In case of a separate session, it should be ensured that the unsigned blobs travel intact between sessions, stay reproducible, and the upload step also needs to be detached to handle existing upload locations, making this complex.)

As for secrets: The code signing private key is currently shipped with the curl-for-win repo as a GPG encrypted blob, which is unencrypted via a secret CI envvar at build time. Same with the key passphrase. Maybe there is a better way to do this, and if so, I'd be glad to hear about it. [ Note that I'm personally interested in knowing/handling as little amount of secrets as reasonably possible. ]

So to make it clear: To have a properly signed curl.exe, all we'd need to do now is to replace the above key blob and the two CI secrets, with ones for a real code signing cert.

@bitcrazed Do you mean for non-curl Linux package? or doing curl builds for Linux?

[mback2k]

@vszakats okay, unfortunately I only can provide experience with WiX Toolset to create MSI installers and Inno Setup for EXE installers, both only running directly on Windows but with signed payload and (un)installers.

[jay]

This seems to have stalled, Marc do you plan to work on it?

[mback2k]

This seems to have stalled, Marc do you plan to work on it?

There is e-mail communication going on between Rich, Viktor and myself. So, not stalled. We are waiting for some dependencies to be available.

[bagder]

The discussions and coming preparations for this is done over email and will be made available and visible as soon as there's anything to show. We're discussing technical details of how exactly we can make this a reality - there's a clear will and desire from all involved parties to make this happen.

[jay]

There is now a wiki entry for this issue.

[vszakats]

Accidentally found mention of this tool called Conveyor, that is able to create MSIX packages on non-Windows systems:
https://github.com/hydraulic-software/conveyor
https://www.hydraulic.dev/

Free for open-licensed projects. That said, I haven't looked into what it takes to install it in a Linux CI session, how licensing goes in this case, or how to actually use it. (That still leaves two issues: 1. having code signing certs 2. code signing without breaking reproducibility.)

/via the author @ https://news.ycombinator.com/item?id=36061106

[mback2k]

I recently came across this service that could eventually solve the code signing issue:

https://about.signpath.io/product/open-source