Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Fix code signing on Windows #2346

Merged
merged 3 commits into from
Oct 10, 2024
Merged

ci: Fix code signing on Windows #2346

merged 3 commits into from
Oct 10, 2024

Conversation

taratatach
Copy link
Member

Please make sure the following boxes are checked:

  • PR is not too big
  • it improves UX & DX in some way
  • it includes unit tests matching the implementation changes
  • it includes scenarios matching a new behaviour or has been manually tested
  • it includes relevant documentation

@taratatach
ci: Sign Windows binaries with right keypair alias
b073ce4 
  We were using the wrong env variable to get the keypair alias of the
  certificate to use to sign binaries on Windows.

  It's a mystery how we could sign binaries before but since we were
  using the main DigiCert Keylocker account user rather than a dedicated
  service user to fetch the certificates, the process might have been a
  bit different and might have not required a keypair alias at all.
@taratatach
ci: Build and publish on tag push
a30ae46 
  We'll start signing Windows binaries only when doing a release to save
  on signatures as they are costly.

  To this end, we'll start building when tags are pushed and let
  `electron-builder` automatically create the release and publish
  artifacts during that build as it will simplify the condition that
  will trigger binaries signatures (i.e. only on tag builds).

  This enables building on tags on Github Actions for macOS and linux
  (AppVeyor already triggers builds on tags by default).

  Since `electron-builder` already publishes when detecting it's being
  run on a CI server for a tag build, there's nothing else to do.
@taratatach
ci: Sign Windows binaries only on tag push
dd48e81 
  Our Windows installer includes a number of other binaries such as DLLs
  that need to be signed as well as our own executable.
  In total, we need to sign 24 files.

  Since our code signing certificate comes with a limited number of
  signatures and additional ones are costly, we'll sign binaries only
  when doing a release thus when building a tag.
@taratatach taratatach self-assigned this Oct 10, 2024
@taratatach taratatach merged commit 1958ce0 into master Oct 10, 2024
12 of 16 checks passed
@taratatach taratatach deleted the ci/fix-code-signing branch October 10, 2024 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@taratatach taratatach

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@taratatach