Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows installer signing #549

Merged
merged 6 commits into from
Apr 3, 2020
Merged

Windows installer signing #549

merged 6 commits into from
Apr 3, 2020

Conversation

mikesbrown
Copy link
Contributor

@mikesbrown mikesbrown commented Apr 3, 2020

Assuming a PFX base64-encoded password-protected certificate secret pair, sign a Windows installer release asset.

Usage is: node scripts/release --win32 [--windowsCertificateFile <file> --windowsCertificatePassword <password>]

The stack for signing is as follows, and you can read more about the stack at the links provided.

The basic electron-winstaller method of signing requires file and password parameters. I've taken care to ensure the password is not printed upon either success or failure.

The release CI will produced a signed executable. Interested parties may view certificate details when examining the signed executable's properties.

image

@mikesbrown mikesbrown requested a review from a team April 3, 2020 19:48
@mikesbrown
Copy link
Contributor Author

@mikesbrown
Copy link
Contributor Author

Open question for @alfred-landrum and @philrz : What do we want README-Windows.md to say? Feel free to push changes to this branch if you want.

@mikesbrown mikesbrown requested a review from philrz April 3, 2020 19:51
Copy link
Contributor

@alfred-landrum alfred-landrum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be a pain, but could we use 'windows' instead of 'win32' as the prefix for the introduced variables & options? I think the original usage here stems from node's process.platform, which reports "win32" for any variant of windows.

@alfred-landrum
Copy link
Contributor

I pulled the Brim-Setup.exe from this temporary release tag:
https://github.com/brimsec/brim/releases/tag/refs%2Fheads%2Fwindows-signing

and ran it on Windows 10. As we now know to expect, it still shows the SmartScreen dialogue* , but clicking on 'More Info' there shows Brim Security, Inc. as the publisher. That's also displayed when you use the 'Add/Remove' panel to remove the application, it shows the same publisher information.

The SmartScreen panel will come up until we've built up enough "reputation" with installs of the application, or usage of our AuthentiCode certificate, or our name in the subject info of the cert, according to what we've read.

@alfred-landrum
Copy link
Contributor

alfred-landrum commented Apr 3, 2020

I got a thumbs up from Phil on the windows readme I just pushed.

README-Windows.md Outdated Show resolved Hide resolved
@mikesbrown mikesbrown merged commit f0780dd into master Apr 3, 2020
@mikesbrown mikesbrown deleted the windows-signing branch April 3, 2020 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants