Skip to content

fix(app): revert to digicert signing#18792

Merged
sfoster1 merged 5 commits intochore_release-8.5.0from
rqa-4324-worst-day-of-my-life-app-build-both-as-release
Jul 1, 2025
Merged

fix(app): revert to digicert signing#18792
sfoster1 merged 5 commits intochore_release-8.5.0from
rqa-4324-worst-day-of-my-life-app-build-both-as-release

Conversation

@sfoster1
Copy link
Copy Markdown
Member

@sfoster1 sfoster1 commented Jul 1, 2025

This reverts #18450 and #18479 to revert to digicert signing for our windows builds.

The digicert certificate has the Common Name "Opentrons Labworks Inc." and the ATS cert has the common name "OPENTRONS LABWORKS INC.". These were both determined automatically by the CA from our identity submissions, as is apparently required in the code signing cert baseline requirements. Why are they different? A mystery for the ages.

In either case, electron-updater requires that if you specify a publisherName in your app-update.yml (which we do specifically on windows, since it is generated from our electron-builder config and on windows we set it because nsis packager wants it for doing signing in the first place) then the autoupdate package that will be installed must have a CSC CN exactly matching an entry in publisherName or the update will fail. Therefore updates in between <=8.4.1 and >=8.5.0 would fail if we switched to ATS.

Instead, we'll switch back to digicert for now; we'll build the new CN into our publisher names; and then whenever we're confident enough people are on >=8.5.0 and therefore have the new publisher names, we'll switch over again (we can't switch immediately because we don't do incremental updates, just full overwrites, so the intermediate update state would go away).

This is upsetting.

Testing

  • the signing has to work again, which is never guaranteed given the shonky state of dco integration
  • we should make sure we can update from 8.4.1 to this by making sure the CN of the digital signature on the build from this pr is exactly Opentrons Labworks Inc. (and updating to it in the resulting alpha)
  • we should make sure we can update from this to something signed with the new cert (by mucking around with the latest-alpha or something? or just checking that the app-update.yml in the app's install directory has both names)

Supercedes #18785 for build branch name reasons.

sfoster1 added 3 commits June 30, 2025 17:23
@sfoster1
Revert "ci(app): electron builder Windows signing workaround (#18479)"
604e9c8 
This reverts commit 26c3bf0.
@sfoster1
Revert "ci(app): Azure trusted signing for Windows (#18450)"
bf47c6b 
This reverts commit 6e42e4b.
@sfoster1
fix(app): use new publisher name alongside current
375a9be 
This will allow users to update to the new app whenever we switch to
azure trusted signing.
@sfoster1 sfoster1 requested review from a team as code owners July 1, 2025 15:04
@sfoster1 sfoster1 requested review from ncdiehl11 and removed request for a team July 1, 2025 15:04
@sfoster1 sfoster1 mentioned this pull request Jul 1, 2025
Closed
3 tasks
y3rsh
y3rsh approved these changes Jul 1, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@y3rsh y3rsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://builds.opentrons.com/app/Opentrons-v8.5.0-alpha.7-win-b58315-rqa-4324-worst-day-of-my-life-app-build-both-as-release.exe

installs and downgrades to 8.4.1 with no issues.
image

@sfoster1 sfoster1 merged commit af9fcde into chore_release-8.5.0 Jul 1, 2025
32 checks passed
@sfoster1 sfoster1 deleted the rqa-4324-worst-day-of-my-life-app-build-both-as-release branch July 1, 2025 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@y3rsh y3rsh y3rsh approved these changes

@ncdiehl11 ncdiehl11 Awaiting requested review from ncdiehl11 ncdiehl11 is a code owner automatically assigned from Opentrons/js

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sfoster1 @y3rsh