ci(app): Azure trusted signing for Windows#18450
Merged
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## edge #18450 +/- ##
==========================================
+ Coverage 25.16% 26.47% +1.31%
==========================================
Files 3254 3254
Lines 277294 277336 +42
Branches 32247 32247
==========================================
+ Hits 69772 73434 +3662
+ Misses 207499 203873 -3626
- Partials 23 29 +6
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
sfoster1
approved these changes
May 29, 2025
Member
sfoster1
left a comment
sfoster1
left a comment
There was a problem hiding this comment.
Looks great if it works! Make a branch that ends with -app-build-both-as-release to build and sign both internal and release variants
ddcc4
pushed a commit
that referenced
this pull request
May 29, 2025
(cherry picked from commit b5cfdf4)
This was referenced Jun 30, 2025
sfoster1
added a commit
that referenced
this pull request
Jul 1, 2025
This reverts #18450 and #18479 to revert to digicert signing for our windows builds. The digicert certificate has the Common Name "Opentrons Labworks Inc." and the ATS cert has the common name "OPENTRONS LABWORKS INC.". These were both determined automatically by the CA from our identity submissions, as is apparently required in the code signing cert baseline requirements. Why are they different? A mystery for the ages. In either case, electron-updater requires that _if_ you specify a `publisherName` in your `app-update.yml` (which we do specifically on windows, since it is generated from our electron-builder config and on windows we set it because nsis packager wants it for doing signing in the first place) _then_ the autoupdate package that will be installed must have a CSC CN exactly matching an entry in `publisherName` or the update will fail. Therefore updates in between <=8.4.1 and >=8.5.0 would fail if we switched to ATS. Instead, we'll switch back to digicert for now; we'll build the new CN into our publisher names; and then whenever we're confident enough people are on >=8.5.0 and therefore have the new publisher names, we'll switch over again (we can't switch immediately because we don't do incremental updates, just full overwrites, so the intermediate update state would go away). This is upsetting. ## Testing - [x] the signing has to work again, which is never guaranteed given the shonky state of dco integration - [x] we should make sure we can update from 8.4.1 to this by making sure the CN of the digital signature on the build from this pr is exactly `Opentrons Labworks Inc.` (and updating to it in the resulting alpha) - [x] we should make sure we can update from this to something signed with the new cert (by mucking around with the latest-alpha or something? or just checking that the app-update.yml in the app's install directory has both names) Supercedes #18785 for build branch name reasons.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Replace DigiCert with Azure Trusted Signing.
Helpful Blog
Helpful GitHub Issue
Electron Builder Docs
Test Plan and Hands on Testing
Review requests
Things all mapped correctly?
Risk assessment