New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement code signing on macOS and Windows #18291
Comments
Windows AppVeyor code signing guide: To codesign (Authenticode) the Windows geth executable, the most common option is to use the Windows SDK "Signtool" program. Geth (and other exes) are built for Windows using Appveyor, the configuration for which is specified by an Appveyor.yml file in the project source. (The appveyor.yml file (goethereum\appveyor.yml) specifies an OS of "os: Visual Studio 2015" According to online references the location of signtool.exe on the appveyor machine should be C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe . It is not clear if this location is the appveyor PATH. The below yml file has options for either case. The aim is to use Signtool to sign the executable post-build. In a private environment, the syntaxes for this would be as follows. SHA1 SHA256 where EthereumCert.pfx is a password protected Ethereum Foundation certificate, EthereumCertPassword is the password to that certificate, and the /t or /tr options (depending on algorithm) specify URIs to a timestamping service and indicate the signature should include a timestamp. The timestamp is necessary to determine that the executable was signed during the validity period of the certificate. Without this, code signatures become invalid as soon as the certificate expires. An additional requirement though is that the EthereumCertPassword and pfx files cannot be supplied in plain text as part of an open source project. The EF foundation pfx file should be converted to an AppVeyor "secure file". To do this the following steps are suggested by AppVeyor: In summary, those steps describe downloading a tool from AppVeyor to encrypt the file with a secret, and then adding that secret to the AppVeyor build project either as an AppVeyor project setting or as a "secure variable" (the latter assumed below) The EF foundation pfx password should also be added to the appveyor.yml file as a "secure variable". To do this, follow the instructions here With the above steps complete, the appveyor.yml should be modified to look as follows. Modified lines are indicated with an indent. The geth project should include the encrypted certificate (or it could be downloaded from a secure location).
[Or if signtool is not in the path then...]
|
Ethereum Foundation has developer accounts with Apple and Microsoft. The Mist project uses those to code-sign executables. We should start shipping code-signed executables for those platforms.
The text was updated successfully, but these errors were encountered: