New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package curl for Windows in a signed installer #5424
Comments
Note there are already official builds for Windows and as I'm sure you are aware Microsoft has its own build and has been including curl with Windows 10, but it may be somewhat limited compared to the official version. /cc @vszakats |
We've once made a try with code-signing our official build, but the process ended up failing when the certificate generation required a weird combination of obsolete IE version running on a specific Windows OS version, with some specific configuration (or some such.) So after a few days of futile efforts, we had to give it up. Having said that, the technical part of code signing is in place and the builds are shipping with a self-signed (~dummy) certificate for now. As for MSI/MSIX, with external help it probably can be added, but since the curl-for-win build is running and tested under Linux/macOS, we need tools that run under these operating systems. Or alternatively, split off the process from the main build and generate these in a second pass on native Windows, perhaps via a GitHub Action. |
I am using a private certificate CodeSigning certificate from DigiCert to sign my (currently internal) builds. I would be open for sponsoring the code signing, but it would have to be done via separate (automated) step that I control due to the certificate requiring protection which CIs cannot provide. @bagder maybe it would also be an option to use curl's funds to get a dedicated code signing certificate? Unfortunately DigiCert no longer provides a discount for Microsoft code signing: |
Hey @jay - yep, I work on the team that now owns the build of Curl built-in to Windows 😁 What I couldn't reveal until today is that today, we announced the first preview of a package manager for Windows. Yes ... I know ... it's 2020, why didn't this happen 10+ years ago ... couldn't agree more 😜 @vszakats - LOVE your idea re. Github action or similar for signing binaries and generating the signed Windows installation package. Could even perhaps consider doing similar for various Linux packages? @mback2k and/or @bagder - Would you mind emailing me at richturn at you know where dotcom. Have some ideas to discuss in a little more in detail. |
I can try to solve the issues related to code signing. I have been doing this in my own CI for many years. I guess using some Windows CI step for this in the curl-for-win repository would be a starting point. |
@mback2k I meant to split off the MSI/MSIX generation only, due to the assumption that the necessary tooling is Windows-only (which I'm not 100% sure of, but it looked like it at a quick glance). The tooling to sign As for secrets: The code signing private key is currently shipped with the So to make it clear: To have a properly signed @bitcrazed Do you mean for non-curl Linux package? or doing curl builds for Linux? |
@vszakats okay, unfortunately I only can provide experience with WiX Toolset to create MSI installers and Inno Setup for EXE installers, both only running directly on Windows but with signed payload and (un)installers. |
This seems to have stalled, Marc do you plan to work on it? |
There is e-mail communication going on between Rich, Viktor and myself. So, not stalled. We are waiting for some dependencies to be available. |
The discussions and coming preparations for this is done over email and will be made available and visible as soon as there's anything to show. We're discussing technical details of how exactly we can make this a reality - there's a clear will and desire from all involved parties to make this happen. |
There is now a wiki entry for this issue. |
Accidentally found mention of this tool called Conveyor, that is able to create MSIX packages on non-Windows systems: Free for open-licensed projects. That said, I haven't looked into what it takes to install it in a Linux CI session, how licensing goes in this case, or how to actually use it. (That still leaves two issues: 1. having code signing certs 2. code signing without breaking reproducibility.) /via the author @ https://news.ycombinator.com/item?id=36061106 |
I recently came across this service that could eventually solve the code signing issue: |
Hi. PM on Windows Dev Platform here. Wasn't sure if this was a discussion or an issue, so posted here.
We're working on some "new & improved things" that would benefit from apps and tools like curl being signed & distributed via a signed installer package (MSI/MSIX), including:
Have/would you consider:
The text was updated successfully, but these errors were encountered: