Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package curl for Windows in a signed installer #5424

Closed
bitcrazed opened this issue May 18, 2020 · 14 comments
Closed

Package curl for Windows in a signed installer #5424

bitcrazed opened this issue May 18, 2020 · 14 comments

Comments

@bitcrazed
Copy link
Contributor

Hi. PM on Windows Dev Platform here. Wasn't sure if this was a discussion or an issue, so posted here.

We're working on some "new & improved things" that would benefit from apps and tools like curl being signed & distributed via a signed installer package (MSI/MSIX), including:

  • A simplified process for installing apps and tools on Windows
  • Improve perf by minimizing number and frequency of scans by anti-malware tools like Defender

Have/would you consider:

  1. Signing curl binaries with a cert chained to a CA?
  2. Bundling curl outputs in a signed installer package?
  3. Distributing curl installer packages for Windows?
@jay jay added the build label May 18, 2020
@jay
Copy link
Member

jay commented May 18, 2020

Note there are already official builds for Windows and as I'm sure you are aware Microsoft has its own build and has been including curl with Windows 10, but it may be somewhat limited compared to the official version.

/cc @vszakats

@jay jay added the Windows Windows-specific label May 18, 2020
@vszakats
Copy link
Member

We've once made a try with code-signing our official build, but the process ended up failing when the certificate generation required a weird combination of obsolete IE version running on a specific Windows OS version, with some specific configuration (or some such.) So after a few days of futile efforts, we had to give it up.

Having said that, the technical part of code signing is in place and the builds are shipping with a self-signed (~dummy) certificate for now.

As for MSI/MSIX, with external help it probably can be added, but since the curl-for-win build is running and tested under Linux/macOS, we need tools that run under these operating systems. Or alternatively, split off the process from the main build and generate these in a second pass on native Windows, perhaps via a GitHub Action.

@mback2k
Copy link
Member

mback2k commented May 20, 2020

I am using a private certificate CodeSigning certificate from DigiCert to sign my (currently internal) builds. I would be open for sponsoring the code signing, but it would have to be done via separate (automated) step that I control due to the certificate requiring protection which CIs cannot provide.

@bagder maybe it would also be an option to use curl's funds to get a dedicated code signing certificate? Unfortunately DigiCert no longer provides a discount for Microsoft code signing:
https://news.ycombinator.com/item?id=21613811

@bitcrazed
Copy link
Contributor Author

Hey @jay - yep, I work on the team that now owns the build of Curl built-in to Windows 😁

What I couldn't reveal until today is that today, we announced the first preview of a package manager for Windows. Yes ... I know ... it's 2020, why didn't this happen 10+ years ago ... couldn't agree more 😜

@vszakats - LOVE your idea re. Github action or similar for signing binaries and generating the signed Windows installation package. Could even perhaps consider doing similar for various Linux packages?

@mback2k and/or @bagder - Would you mind emailing me at richturn at you know where dotcom. Have some ideas to discuss in a little more in detail.

@bagder
Copy link
Member

bagder commented May 20, 2020

@mback2k: it was never a question of money, @vszakats struggled to make it happen. We wouldn't hesitate to spent money on this or ask for sponsors - if that would unblock something.

@mback2k
Copy link
Member

mback2k commented May 20, 2020

I can try to solve the issues related to code signing. I have been doing this in my own CI for many years. I guess using some Windows CI step for this in the curl-for-win repository would be a starting point.

@vszakats
Copy link
Member

@mback2k I meant to split off the MSI/MSIX generation only, due to the assumption that the necessary tooling is Windows-only (which I'm not 100% sure of, but it looked like it at a quick glance).

The tooling to sign .exe/.dll binaries under *nixy operating systems is already in place (via a custom-patched build of osslsigncode, which patch was subsequently upstreamed to the tool's active fork), so I see no pressing technical reason to move this step to a separate CI session. Likely can be done, but I'm not sure the benefits outweight the efforts/risks. (In case of a separate session, it should be ensured that the unsigned blobs travel intact between sessions, stay reproducible, and the upload step also needs to be detached to handle existing upload locations, making this complex.)

As for secrets: The code signing private key is currently shipped with the curl-for-win repo as a GPG encrypted blob, which is unencrypted via a secret CI envvar at build time. Same with the key passphrase. Maybe there is a better way to do this, and if so, I'd be glad to hear about it. [ Note that I'm personally interested in knowing/handling as little amount of secrets as reasonably possible. ]

So to make it clear: To have a properly signed curl.exe, all we'd need to do now is to replace the above key blob and the two CI secrets, with ones for a real code signing cert.

@bitcrazed Do you mean for non-curl Linux package? or doing curl builds for Linux?

@mback2k
Copy link
Member

mback2k commented May 27, 2020

@vszakats okay, unfortunately I only can provide experience with WiX Toolset to create MSI installers and Inno Setup for EXE installers, both only running directly on Windows but with signed payload and (un)installers.

@jay
Copy link
Member

jay commented Jul 22, 2020

This seems to have stalled, Marc do you plan to work on it?

@mback2k
Copy link
Member

mback2k commented Jul 22, 2020

This seems to have stalled, Marc do you plan to work on it?

There is e-mail communication going on between Rich, Viktor and myself. So, not stalled. We are waiting for some dependencies to be available.

@bagder
Copy link
Member

bagder commented Aug 4, 2020

The discussions and coming preparations for this is done over email and will be made available and visible as soon as there's anything to show. We're discussing technical details of how exactly we can make this a reality - there's a clear will and desire from all involved parties to make this happen.

@bagder bagder closed this as completed in be8c94d Dec 15, 2020
@jay
Copy link
Member

jay commented Dec 18, 2020

There is now a wiki entry for this issue.

@vszakats
Copy link
Member

vszakats commented May 24, 2023

Accidentally found mention of this tool called Conveyor, that is able to create MSIX packages on non-Windows systems:
https://github.com/hydraulic-software/conveyor
https://www.hydraulic.dev/

Free for open-licensed projects. That said, I haven't looked into what it takes to install it in a Linux CI session, how licensing goes in this case, or how to actually use it. (That still leaves two issues: 1. having code signing certs 2. code signing without breaking reproducibility.)

/via the author @ https://news.ycombinator.com/item?id=36061106

@mback2k
Copy link
Member

mback2k commented May 25, 2023

I recently came across this service that could eventually solve the code signing issue:

https://about.signpath.io/product/open-source

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants