Automate code-signing as part of our release process #1580

phargogh · 2024-05-21T17:09:35Z

In #1523 we were able to set up a yubikey to sign our binaries. The process for signing binaries was pretty manual: download binary, sign binary, upload binary. It would be fantastic to be able to do this in the cloud as a part of our usual build automation.

davemfish · 2025-01-23T19:01:01Z

From @phargogh :

We now have a host machine at a Stanford data center with our YubiKey installed.

Option 1: Install a GHA runner on a VM on this data center machine. This is discouraged by GitHub, due to the potential for running untrusted code on hardware on a trusted network.

Option 2, the preferred option.: Ping a cloud function with list of binaries on GCS that need to be signed, adding them to a queue. The VM would pull from the queue to download, sign, & upload.

RE:natcap#1580

Signature files are now pushed to the bucket alongside the .exe file, and we check whether the file exists before enqueueing the exe. RE:natcap#1580

phargogh added the enhancement New feature or request label May 21, 2024

phargogh added this to the 3.15.0 milestone May 21, 2024

phargogh mentioned this issue May 21, 2024

Code-signing certificate expired #1523

Closed

dcdenu4 assigned phargogh Jan 24, 2025

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Starting a readme for codesigning. RE:natcap#1580

fa56af4

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Starting a readme for the cloud function. RE:natcap#1580

64f9d39

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Adding python code for the cloud function.

a8448c3

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Correcting package name. RE:natcap#1580

50c6612

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Adding codesigning worker config.

d19e906

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Bumping down memory, specifying project.

63c1b18

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Handling the case where there are no items in the queue.

7eeffa4

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Updating bash service script. RE:natcap#1580

c432faf

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Correcting filepaths. RE:natcap#1580

5805b47

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Always reloading service. RE:natcap#1580

2212f79

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Adding json body to request. RE:natcap#1580

595254b

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Restructuring the shell script. RE:natcap#1580

ab1eb56

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Trying a different approach to trimming whitespace. RE:natcap#1580

d9ba157

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Trying another way to trim whitespace. RE:natcap#1580

673e16d

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Reworking codesigning service to be mostly python.

943c507

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Forgot the certificate argument. RE:natcap#1580

5f2f3e5

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Removing unnecessary function parameter. RE:natcap#1580

1c123dc

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Loading access token from a file. RE:natcap#1580

adaf945

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Clarifying path to the token file. RE:natcap#1580

0a62247

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Raising errors when we find them. RE:natcap#1580

bf6e595

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Using POST method always. RE:natcap#1580

e6656f7

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Fixing how I make my request. RE:natcap#1580

f8ebe38

phargogh added a commit to phargogh/invest that referenced this issue Jan 30, 2025

Polling every 60s. RE:natcap#1580

6d680ac

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Correcting a filepath. RE:natcap#1580

0abd959

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

restarting the systemd service. RE:natcap#1580

840dfaa

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Adding a shell script to enqueue the target binary.

af9fc47

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Adding codesigning step to binary actions workflow. RE:natcap#1580

ad9a35c

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Correcting directory name. RE:natcap#1580

3cf4a19

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Correcting order of operations on a missing file.

59ba67a

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Reqorking enqueue script to use requests. RE:natcap#1580

a69804b

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Improving GCP cloud logging in function. RE:natcap#1580

6e948be

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Fixing syntaxerror. RE:natcap#1580

96c3e86

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Queueing binary for codesigning after make deploy.

279bc4f

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Attempting to improve logging for debugging. RE:natcap#1580

dde4a29

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Fixing multi-line issue in make invocation.

7ff3567

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Fleshing out docs and cleaning up. RE:natcap#1580

19c7909

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Adding docstrings. RE:natcap#1580

651e715

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Removing old windows codesigning stuff. RE:natcap#1580

8b5e7f8

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Adding docstrings. RE:natcap#1580

a93d918

phargogh mentioned this issue Jan 31, 2025

Automate Code Signing of Windows Binary #1763

Merged

3 tasks

phargogh added a commit to phargogh/invest that referenced this issue Jan 31, 2025

Noting change in HISTORY. RE:natcap#1580

38cfd23

phargogh added a commit to phargogh/invest that referenced this issue Feb 1, 2025

Updating the cloud function docstring. RE:natcap#1580

0e64389

phargogh added a commit to phargogh/invest that referenced this issue Feb 1, 2025

Always restarting the service. RE:natcap#1580

33a60e5

phargogh added a commit to phargogh/invest that referenced this issue Feb 1, 2025

Improving osslsigncode comments. RE:natcap#1580

dfc275a

phargogh added a commit to phargogh/invest that referenced this issue Feb 3, 2025

Using the signed binary in the github release. RE:natcap#1580

782dbd1

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Adding posting to slack to the signing worker. RE:natcap#1580

de9ee0c

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Not using the shell script any longer.

4077f02

RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Writing out the signature information to a separate file. RE:natcap#1580

8464659

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Correcting slack markdown link syntax. RE:natcap#1580

1cfc9c2

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Refactoring to handle signature files.

8277d5f

Signature files are now pushed to the bucket alongside the .exe file, and we check whether the file exists before enqueueing the exe. RE:natcap#1580

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Changing status code to 204 from 400. RE:natcap#1580

334bc1d

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Correcting http error code checking. RE:natcap#1580

951f93c

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Correcting how we do text searching. RE:natcap#1580

f2eef42

phargogh added a commit to phargogh/invest that referenced this issue Feb 4, 2025

Correcting how we check for signatures. RE:natcap#1580

9784a26

dcdenu4 closed this as completed in #1763 Feb 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automate code-signing as part of our release process #1580

Automate code-signing as part of our release process #1580

phargogh commented May 21, 2024

davemfish commented Jan 23, 2025

Automate code-signing as part of our release process #1580

Automate code-signing as part of our release process #1580

Comments

phargogh commented May 21, 2024

davemfish commented Jan 23, 2025