Releases should be signed #1354
Assignees
Labels
Build
Issues affecting the build system
Enhancement
New features or functionality
Infrastructure
Issues affecting everything around CKAN (the GitHub repos, build process, CI, ...)
★★☆
Comments
|
StartSSL HowTo |
|
Piggybacking on this: SpaceDock/SpaceDock-Project#2 will require some sort of verification infrastructure (see SpaceDock/SpaceDock-Project#22 for a discussion of implementation ideas), and we were hoping to jump on hte CKAN metadata train, but the spec has no provisions for a |
|
Ok, we can get a signed certificate from Certum for only €14.00, which I'm willing to pay for. I'm not sure if that's an annual fee or a once-off, but I'm ok with it either way. It looks to me like their Open Source Code Signing is what we would need to use. @ayan4m1, do you have any relevant experience in this field? |
|
Bringing this issue back to life may be worthwhile. We should actually move to release signing, or close this issue. |
HebaruSan
added
Build
Closed
This comment was marked as outdated.
This comment was marked as outdated.
Closed
techman83
added a commit
that referenced
this issue
May 3, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 3, 2024
This adds a signing step for our release assets in preparation for #1354. Although the CSR is not ready yet, this will make it easy for us to reference the download url when it is ready.
techman83
added a commit
that referenced
this issue
May 4, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 4, 2024
This adds a signing step for our release assets in preparation for #1354. Although the CSR is not ready yet, this will make it easy for us to reference the download url when it is ready.
techman83
added a commit
that referenced
this issue
May 4, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
to techman83/CKAN
that referenced
this issue
May 4, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (KSP-CKAN#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 4, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 4, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 10, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 10, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 10, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
May 17, 2024
This is a complete refactor and update of the release workflow in preparation for signed commits (#1354). - Updates all actions versions - Remove mono containers - Reduce apt installations to only required - Use aws credentials actions instead of unmaintained sync action - Use ghcli for asset uploads instead of unmaintained assets upload action - Breaks apart steps into discrete jobs
techman83
added a commit
that referenced
this issue
Jul 5, 2024
There has been a bump in the sign release action version, with a breaking change. This passes through the artifact id, which is now a requirement. #1354
techman83
added a commit
that referenced
this issue
Jul 5, 2024
There has been a bump in the sign release action version, with a breaking change. This passes through the artifact id, which is now a requirement. #1354
techman83
added a commit
that referenced
this issue
Jul 5, 2024
There has been a bump in the sign release action version, with a breaking change. This passes through the artifact id, which is now a requirement. #1354
techman83
added a commit
to techman83/CKAN
that referenced
this issue
Aug 18, 2024
The release version is now available for signpath, though there are still a couple of steps to go through, this will ensure signing is working correctly with the release action. KSP-CKAN#1354
|
And this long standing annoyance can be called done! Thanks for the suggestion @pjf !
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, releases aren't signed, and users get a "yo, this is a file you downloaded from the internet" message on Windows.
Mono comes with the
signcodeutility which can do this, and while we'll need to create (and possibly pay a CA to sign) a certificate, that shouldn't be insurmountable.We'll still want travis to do the signing and release, but luckily we can encrypt things so that only travis can read them.
The text was updated successfully, but these errors were encountered: