Codesigning for Windows binaries
Ensure creation of signed binaries
Distributing a signed binary (aka codesigning) requires the following things. If all is in place, signed Windows binaries are created with every release. If something is missing, unsigned binaries are created instead.
- A code signing certificate available as GitHub repository action secrets and variables
- The repository flavor set to
Preparing your repository in giantswarm/github
Make sure to set
flavour: cli in your repository configuration, like in this example.
Preparing the CLI repository
Open the repository containing your CLI code.
Go to the Settings > Security > Secrets and variables page for this repository.
Check if there are two
If they are missing:
- Open our password manager and find the “code signing” entry.
- Copy the P12 bundle password and create a new repository secret named
CODE_SIGNING_CERT_BUNDLE_PASSWORDwith the copied password as the value.
- Download the ZIP attachment.
- Unzip the ZIP content, so that you have the P12 file.
- Continue as described below, under “Updating the certificate”, step (4), to create the
Updating the certificate
First, get a replacement certificate from our certificate authority (SSL.com).
Follow the SSL.com documentation
The documentation page Ordering And Retrieving Code Signing and EV Code Signing Certificates details how to obtain a P12 file from SSL.com.
The last time we replaced our cert, we contacted support and could enter the process at step 27.
In the process, you will have to set a password for the P12 bundle. Please generate a secure pass phrase using a tool.
Create a new credential in our password manager
Store a ZIP file of the P12 bundle in the password manager, too.
Create a base64 version of the P12 file
On mac OS, this is done using
cat file.p12 | base64.
Set GitHub repo action secrets
In your CLI’s Github repository, go to Settings > Security > Secrets variables > Actions.
Here, in the Repository secrets section, create two new entries:
CODE_SIGNING_CERT_BUNDLE_BASE64with the base64 code representing the P12 file.
CODE_SIGNING_CERT_BUNDLE_PASSWORDwith the password of the P12 bundle you set before.