Steve Lawrence created DAFFODIL-3090:
----------------------------------------
Summary: Sign Windows exe installer
Key: DAFFODIL-3090
URL: https://issues.apache.org/jira/browse/DAFFODIL-3090
Project: Daffodil
Issue Type: Improvement
Components: Infrastructure
Reporter: Steve Lawrence
Fix For: 4.3.0
Daffodil currently signs all release artifacts using detached signatures, as
required by ASF.
Additionally, for RPM we embed signatures in th e RPM file, which improves
integration and signature validation with things like DNF.
But we do not embed signatures in our EXE windows installer. This results in an
"Unknown Publisher" warning when installing the executable. Users are allowed
to accept this risk and continue to install anyways, but it would be nice it we
could avoid this and it would instead show up as a trusted Apache Software
Foundation publisher.
Apache INFRA allows use of ssl.com for embedding signatures in exe files:
https://infra.apache.org/code-signing-use.html.
We should see about enabling this process. I believe the tasks to complete this
are:
1. Open a ticket with INFRA to add ssl.com credentials to our repositories as
secrets (note that this is different than what the above link recommends about
each release manager creating an account, but because Daffodil has been
approved to use [automated release
signing|https://infra.apache.org/release-signing.html#automated-release-signing]
hopefully infra can do the same thing with ssl.com credentials).
2. Update our release candidate action to use those secrets to sign our exe
files using jsign (we may need to download and install jsign as part of the
action)
3. Update the daffodil release-candidate workflow to provide the secrets to the
action
4. Update the check-release script to strip the exe signatures during
reproducibility checks (similar to what we already do for RPM)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)