Skip to content

Refactored provider signing to use trusted signing #5837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 11, 2025
Merged

Refactored provider signing to use trusted signing #5837

merged 1 commit into from
Aug 11, 2025

Conversation

username-is-already-taken2
Copy link
Contributor

@username-is-already-taken2 username-is-already-taken2 commented Aug 11, 2025
edited
Loading

Summary

This PR migrates the windows provider file signing process from DigiCert to Azure Trusted Signer.

Key Changes

  • Removed redundant tasks: Some tasks became unnecessary after switching to Azure and were removed to simplify the workflow.

  • Azure-specific tasks: Added new tasks to handle authentication required for jsign to work with Azure. Authentication to micrsoft is done using OIDC

Note: jsign was upgraded on the runner to version 7.1, which supports trusted signing.

Workflow Improvements

New inputs were added to the workflow_dispatch to aid with troubleshooting:

  • use-test-cert: Signs the binary using our test certificate (not publicly trusted).

@username-is-already-taken2
Refactored signing to use trusted signing action
b15fb8b 
Signed-off-by: Gary Bright <gary@mondoo.com>
@username-is-already-taken2 username-is-already-taken2 changed the title WIP - Refactored provider signing to use trusted signing Refactored provider signing to use trusted signing Aug 11, 2025
@username-is-already-taken2
Copy link
Contributor Author

I ran the workflow and made sure it worked all the way through, when I re-ran it using the other certificate I only validated a few and canceled the workflow, hence why there is a lot of errors.

@username-is-already-taken2 username-is-already-taken2 marked this pull request as ready for review August 11, 2025 14:03
sibuthomasmathew
sibuthomasmathew approved these changes Aug 11, 2025
View reviewed changes
Copy link

@sibuthomasmathew sibuthomasmathew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@username-is-already-taken2 username-is-already-taken2 merged commit 2ef5d5e into main Aug 11, 2025
6 checks passed
@username-is-already-taken2 username-is-already-taken2 deleted the gary/change-provider-signing branch August 11, 2025 14:35
@github-actions github-actions bot locked and limited conversation to collaborators Aug 11, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@sibuthomasmathew sibuthomasmathew sibuthomasmathew approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@username-is-already-taken2 @sibuthomasmathew