Skip to content

feat(installer): ship durable signed Windows packages#2633

Draft
benjaminshafii wants to merge 5 commits into
devfrom
codex/durable-signed-windows-installer
Draft

feat(installer): ship durable signed Windows packages#2633
benjaminshafii wants to merge 5 commits into
devfrom
codex/durable-signed-windows-installer

Conversation

@benjaminshafii

Copy link
Copy Markdown
Member

What changed

  • Require SignPath for every published generic Windows installer. Manual or release-event publication now fails before upload when Windows signing is disabled or SignPath configuration is missing.
  • Publish organization-stampable ZIPs for Windows x64 and ARM64. Each ZIP keeps the signed executable byte-identical; Den appends openwork-installer.json beside it and returns an organization-named download.
  • Build ARM64 on the repository's native windows-11-arm runner, and smoke-test both Windows architectures before an artifact can be uploaded.
  • Recommend architectures truthfully on the install page: Intel Mac is explicit, uncertain Macs get two choices, and Windows exposes x64 plus ARM64.
  • Make outer-installer delivery on-prem first: mounted files, disk cache, or an internal release base are preferred, and public GitHub fallback is opt-in.
  • Add the approved six-frame voiceover, coded fraimz flow, and a strict Windows proof script.

This deliberately does not change app-version policy, the desktop updater feed, or Linux installer behavior. Internal desktop binaries/update feeds remain a separate air-gapped delivery concern.

Root cause

The generic release workflow defaulted Windows signing off (including automatic release events), served only an x64 executable, and depended on a filename stamp for organization configuration. Renaming the executable could therefore discard configuration, and a real release could publish an unsigned setup binary. The install page also guessed Apple silicon when Mac architecture was uncertain.

Validation

Daytona Linux — ow-durable-installer-full

  • pnpm --filter @openwork/install-config build — passed.
  • cd apps/installer && bun test25 passed, 0 failed.
  • pnpm --filter @openwork-ee/den-api exec bun test test/installer-artifacts.test.ts test/zip-append.test.ts7 passed, 0 failed.
  • node --test ee/apps/den-web/app/\(den\)/_lib/install-platform.test.mts3 passed, 0 failed.
  • pnpm --filter @openwork-ee/den-api exec tsc --noEmit — passed.
  • pnpm --filter @openwork-ee/den-web exec tsc --noEmit — passed.
  • Bun 1.3.14 cross-compilation produced valid PE32+ x86-64 and ARM64 executables.
  • Both fraimz flow files pass node --check; the approved flow loads all 6 voiceover frames.

Daytona Windows — ow-durable-installer-windows-review

  • Downloaded and extracted an organization ZIP containing OpenWork Installer.exe and openwork-installer.json.
  • Renamed the executable to Renamed Organization Setup.exe; SHA-256 remained identical before/after rename.
  • Renamed Organization Setup.exe --check-config exited 0 and reported Configured via install link for the on-prem workspace URL.
  • The checked-in strict proof harness rejected the unsigned test build with NotSigned, as intended. It cannot accidentally turn an unsigned artifact into passing evidence.

GitHub packaging matrix

Artifact-only workflow run 29065846594 passed on commit 526b6da59e247d9ec77c71afbb0dc7ddd94704ae:

  • Windows x64: tests, compile, unconfigured smoke test, ZIP packaging, upload — passed.
  • Native Windows ARM64: tests, compile, unconfigured smoke test, ZIP packaging, upload — passed.
  • Downloaded artifacts contain a single root OpenWork Installer.exe; PE inspection reports x86-64 and Aarch64 respectively.

Fraimz verdict: Incomplete

The full six-frame proof intentionally requires a real SignPath result whose Windows Authenticode status is Valid and whose publisher is visible. This artifact-only run used sign_windows=false, so there is no honest fraimz.html to attach yet. The Windows proof harness correctly stopped at NotSigned.

To complete the eval, dispatch this workflow in artifact mode with sign_windows=true, mount the returned signed ZIPs into the Den eval sandbox, download the organization-stamped package, then run the documented Windows harness and:

OPENWORK_EVAL_INSTALL_PAGE_URL=... \
OPENWORK_EVAL_WINDOWS_INSTALLER_UI_URL=... \
OPENWORK_EVAL_WINDOWS_PROOF_JSON=... \
OPENWORK_EVAL_DESKTOP_CDP_URL=... \
pnpm fraimz --flow durable-signed-windows-installer --pr

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
openwork-app Ready Ready Preview, Comment Jul 10, 2026 3:02am
openwork-den Ready Ready Preview, Comment Jul 10, 2026 3:02am
openwork-den-worker-proxy Ready Ready Preview, Comment Jul 10, 2026 3:02am
openwork-landing Ready Ready Preview, Comment, Open in v0 Jul 10, 2026 3:02am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant