New signing process for windows builds #641
Labels
Comments
|
Honesly, I'm completely lost here. Can we still use |
Closed
|
Reference for myself: Check what Podman Desktop is doing. Link: https://github.com/containers/podman-desktop/tree/main/.github/workflows. |
|
People from Podman Desktop paid for their own certificates because it was not possible to make use of Fedora/RedHat certificates as there was no infrastructure for that. It also look we are not alone with this problem, see ImageMagick discussion: ImageMagick/ImageMagick#6826 |
|
Why is it we can't use our existing pesign infrastructure for this, just plug in a different set of certificates? EFI and EXE signing is the same process (mechanically). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
thanks to changes in PKI Industry new requirement is to store code signing certs on FIPS compatible devices. This happened just before our certificate expired.
We have a couple of options for how to approach this but, we will need to change the build and sign process for Windows binaries.
1, keep the process more or less the same but some changes to the build scripts will be required to use the pkcs 11 library. I am not sure how to approach this solution my knowledge of compiled languages is limited.
2, move the Windows build and sign process to the AWS Windows instances, this will require some refactoring on the build side and new ansible roles in fedora-infra. I can help here with provisioning the machine and ansible changes. This will use MS sign tool
The text was updated successfully, but these errors were encountered: