Migrate Code Signing from DigiCert to Azure Trusted Signer #1763
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gary Bright <gary@mondoo.com>
…for validation when not publishing Signed-off-by: Gary Bright <gary@mondoo.com>
0b84be7 to
0dda48e
Compare
Signed-off-by: Gary Bright <gary@mondoo.com>
…apshot Signed-off-by: Gary Bright <gary@mondoo.com>
0dda48e to
829420c
Compare
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates the Windows file signing process from DigiCert to Azure Trusted Signer.
Key Changes
Removed redundant tasks: Some tasks became unnecessary after switching to Azure and were removed to simplify the workflow.
Azure-specific tasks: Added new tasks to handle authentication required for jsign to work with Azure.
Task conditionals update: During development, some task inputs changed to booleans, breaking existing conditionals. These have been updated accordingly.
Goreleaser upgrade attempt:
Attempted to upgrade goreleaser, which worked for most targets.
However, the resulting RPM signatures were invalid, so we’ve remained pinned to version 2.5.1.
Comments were added in the code to clarify this limitation.
Workflow Improvements
New inputs were added to the workflow_dispatch to aid with troubleshooting:
use-test-cert: Signs the binary using our test certificate (not publicly trusted).
goreleaser-snapshot: Enables snapshot mode in goreleaser, bypassing tag checks so you can build from any commit.
upload-artifacts: Uploads binaries to the workflow run—useful for inspecting outputs when not publishing.