feat(installer): ship durable signed Windows packages#2633
Draft
benjaminshafii wants to merge 5 commits into
Draft
feat(installer): ship durable signed Windows packages#2633benjaminshafii wants to merge 5 commits into
benjaminshafii wants to merge 5 commits into
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
openwork-installer.jsonbeside it and returns an organization-named download.windows-11-armrunner, and smoke-test both Windows architectures before an artifact can be uploaded.This deliberately does not change app-version policy, the desktop updater feed, or Linux installer behavior. Internal desktop binaries/update feeds remain a separate air-gapped delivery concern.
Root cause
The generic release workflow defaulted Windows signing off (including automatic release events), served only an x64 executable, and depended on a filename stamp for organization configuration. Renaming the executable could therefore discard configuration, and a real release could publish an unsigned setup binary. The install page also guessed Apple silicon when Mac architecture was uncertain.
Validation
Daytona Linux —
ow-durable-installer-fullpnpm --filter @openwork/install-config build— passed.cd apps/installer && bun test— 25 passed, 0 failed.pnpm --filter @openwork-ee/den-api exec bun test test/installer-artifacts.test.ts test/zip-append.test.ts— 7 passed, 0 failed.node --test ee/apps/den-web/app/\(den\)/_lib/install-platform.test.mts— 3 passed, 0 failed.pnpm --filter @openwork-ee/den-api exec tsc --noEmit— passed.pnpm --filter @openwork-ee/den-web exec tsc --noEmit— passed.node --check; the approved flow loads all 6 voiceover frames.Daytona Windows —
ow-durable-installer-windows-reviewOpenWork Installer.exeandopenwork-installer.json.Renamed Organization Setup.exe; SHA-256 remained identical before/after rename.Renamed Organization Setup.exe --check-configexited 0 and reportedConfigured via install linkfor the on-prem workspace URL.NotSigned, as intended. It cannot accidentally turn an unsigned artifact into passing evidence.GitHub packaging matrix
Artifact-only workflow run 29065846594 passed on commit
526b6da59e247d9ec77c71afbb0dc7ddd94704ae:OpenWork Installer.exe; PE inspection reports x86-64 and Aarch64 respectively.Fraimz verdict: Incomplete
The full six-frame proof intentionally requires a real SignPath result whose Windows Authenticode status is
Validand whose publisher is visible. This artifact-only run usedsign_windows=false, so there is no honestfraimz.htmlto attach yet. The Windows proof harness correctly stopped atNotSigned.To complete the eval, dispatch this workflow in artifact mode with
sign_windows=true, mount the returned signed ZIPs into the Den eval sandbox, download the organization-stamped package, then run the documented Windows harness and: