Skip to content

remove signtool code path as signing is now done outside of quarto-bld #10811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2024
Merged

remove signtool code path as signing is now done outside of quarto-bld #10811

merged 1 commit into from
Sep 19, 2024

Conversation

cderv
Copy link
Collaborator

@cderv cderv commented Sep 16, 2024

Signing using Posit certificate is done in CI directly now.

Previous it was done part of quarto-bld process internally, though it seems better for the long term to do it outside:

  • Process can be done like other project (e.g. positron which also do it on CI) and more closer to what we can find in docs.
  • It makes it easier to update when process change like we encountered. Currenly we add the Deno layer to run signing tools which makes it harder to debug also.

So I have updated our workflow (b354d22) and I am suggesting we clean our code base from this.

@cscheid
Copy link
Collaborator

cscheid commented Sep 16, 2024

This looks good, and I'm ok with merging the PR as is.

As a minor point for future discussion, I realize that we are the ones signing a number of our dependencies: pandoc, esbuild, deno. I'm not sure what the best practices are in this situation. Are there signed binaries available upstream, and if so, should we use those? Cryptographically speaking, that would mean something slightly different (and more likely to be what we mean): it means that we are bundling someone else's binary and that we are trusting their assessment of the integrity of the binary. Right now, our signing implies that we are the ones doing the assessing.

@cderv
Copy link
Collaborator Author

cderv commented Sep 16, 2024

Totally agree with you. I was surprised myself by this.

I did exactly as we were doing for now, but planned to discuss this in meeting. I don't know who to reach out exactly about this. We should discuss this in Team meeting to see next step.

Maybe Charles or JJ would have context on this too if you want to reach out to them. Could be insightful.

Are there signed binaries available upstream ?

I'll check on my windows environment, but as we are able to sign them, I would think they are not signed.

@cderv
Copy link
Collaborator Author

cderv commented Sep 19, 2024

FWIW None are signed.

Pandoc - Not signed

❯ gh release download 3.4 --repo jgm/pandoc --pattern *-windows-x86_64.zip

❯ unzip .\pandoc-3.4-windows-x86_64.zip
Archive:  ./pandoc-3.4-windows-x86_64.zip
   creating: pandoc-3.4/
  inflating: pandoc-3.4/COPYING.rtf
  inflating: pandoc-3.4/COPYRIGHT.txt
  inflating: pandoc-3.4/MANUAL.html
  inflating: pandoc-3.4/pandoc.exeGet-AuthenticodeSignature -FilePath .\pandoc-3.4\pandoc.exe

    Directory: C:\Users\chris\AppData\Local\Temp\quarto\pandoc-3.4

SignerCertificate                         Status                    StatusMessage             Path
-----------------                         ------                    -------------             ----
                                          NotSigned                 The file C:\Users\chris\… pandoc.exe

Deno - No signed

❯ curl -O -L https://github.com/denoland/deno/releases/download/v1.46.3/deno-x86_64-pc-windows-msvc.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 40.1M  100 40.1M    0     0  13.3M      0  0:00:02  0:00:02 --:--:-- 22.0M

❯ unzip .\deno-x86_64-pc-windows-msvc.zip
Archive:  ./deno-x86_64-pc-windows-msvc.zip
  inflating: deno.exeGet-AuthenticodeSignature -FilePath .\deno.exe

    Directory: C:\Users\chris\AppData\Local\Temp\quarto

SignerCertificate                         Status                    StatusMessage             Path
-----------------                         ------                    -------------             ----
                                          NotSigned                 The file C:\Users\chris\… deno.exe

Dart - Not signed

❯ curl -O -L https://github.com/sass/dart-sass/releases/download/1.79.1/dart-sass-1.79.1-windows-x64.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 3979k  100 3979k    0     0  2655k      0  0:00:01  0:00:01 --:--:-- 8259k

❯ unzip .\dart-sass-1.79.1-windows-x64.zip
Archive:  ./dart-sass-1.79.1-windows-x64.zip
  inflating: dart-sass/src/LICENSE
  inflating: dart-sass/src/dart.exe
  inflating: dart-sass/src/sass.snapshot
  inflating: dart-sass/sass.batGet-AuthenticodeSignature -FilePath .\dart-sass\src\dart.exe

    Directory: C:\Users\chris\AppData\Local\Temp\quarto\dart-sass\src

SignerCertificate                         Status                    StatusMessage             Path
-----------------                         ------                    -------------             ----
                                          NotSigned                 The file C:\Users\chris\… dart.exe

I'll merge this PR, but we'll remember the discussion for the future

@cderv cderv merged commit c96fd24 into main Sep 19, 2024
47 checks passed
@cderv cderv deleted the quart-bld/remove-signing branch September 19, 2024 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cderv @cscheid