Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's Changing
The changes here along with Actions Secrets I've added for the repo will make it such that our Windows
super.exerelease binaries going forward will be signed.Why
In absence of a proper digital signature, a Windows user running the
super.exebinary may be presented with a Defender pop-up like this one:Details
The effect can be observed by downloading the recent GA release tagged v0.3.0 via a browser, unzipping the artifact in Explorer, and double-clicking the
super.exebinary that's unpacked. While some pure command line usage (e.g.,wgetof the ZIP and unpacking at the shell) may bypass the pop-up, I'm informed that it may still surface in the presence of certain security tools.We went through this in the past with the desktop app. At the time we got a less expensive "OV" Code Signing Certificate, which unfortunately required months of users having to install despite the scary Defender screen in order for the cert to "build reputation" with Microsoft. Eventually the pop-up went away, only for the cycle to repeat when we later renewed the certificate. To avoid this hassle, this time I opted to sign us up for the more costly "EV" (Extended Validation) Code Signing Certificate from SSL.com, and this allows us to avoid the pop-up altogether from day one.
In addition to adding them as Repository Secrets here in the repo, I've also saved the values of the secrets in our AWS Secrets Manager under
super_repo_build_secrets.Testing
I've tested out the signing and notarizing in a personal fork repo and have made scratch release v0.11.0 which, unlike the GA
v0.3.0release linked above, does not trigger the Defender pop-up. The presence of the certificate info is also visible by right-clicking the binary and selecting Properties > Digital Signatures.