Steve Lawrence created DAFFODIL-3090:
----------------------------------------

             Summary: Sign Windows exe installer
                 Key: DAFFODIL-3090
                 URL: https://issues.apache.org/jira/browse/DAFFODIL-3090
             Project: Daffodil
          Issue Type: Improvement
          Components: Infrastructure
            Reporter: Steve Lawrence
             Fix For: 4.3.0


Daffodil currently signs all release artifacts using detached signatures, as 
required by ASF.

Additionally, for RPM we embed signatures in th e RPM file, which  improves 
integration and signature validation with things like DNF.

But we do not embed signatures in our EXE windows installer. This results in an 
"Unknown Publisher" warning when installing the executable. Users are allowed 
to accept this risk and continue to install anyways, but it would be nice it we 
could avoid this and it would instead show up as a trusted Apache Software 
Foundation publisher.

Apache INFRA allows use of ssl.com for embedding signatures in exe files: 
https://infra.apache.org/code-signing-use.html.

We should see about enabling this process. I believe the tasks to complete this 
are:

1. Open a ticket with INFRA to add ssl.com credentials to our repositories as 
secrets (note that this is different than what the above link recommends about 
each release manager creating an account, but because Daffodil has been 
approved to use [automated release 
signing|https://infra.apache.org/release-signing.html#automated-release-signing]
 hopefully infra can do the same thing with ssl.com credentials). 
2. Update our release candidate action to use those secrets to sign our exe 
files using jsign (we may need to download and install jsign as part of the 
action)
3. Update the daffodil release-candidate workflow to provide the secrets to the 
action
4. Update the check-release script to strip the exe signatures during 
reproducibility checks (similar to what we already do for RPM) 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to