grulja
commented
11 months ago Honesly, I'm completely lost here.
Can we still use osslsigncode sign but just using pkcs11 instead?
Open humaton opened 11 months ago
grulja
commented
11 months ago Honesly, I'm completely lost here.
Can we still use osslsigncode sign but just using pkcs11 instead?
grulja
commented
11 months ago Reference for myself: Check what Podman Desktop is doing.
Link: https://github.com/containers/podman-desktop/tree/main/.github/workflows.
grulja
commented
10 months ago People from Podman Desktop paid for their own certificates because it was not possible to make use of Fedora/RedHat certificates as there was no infrastructure for that.
It also look we are not alone with this problem, see ImageMagick discussion: https://github.com/ImageMagick/ImageMagick/discussions/6826
Hi,
thanks to changes in PKI Industry new requirement is to store code signing certs on FIPS compatible devices. This happened just before our certificate expired.
We have a couple of options for how to approach this but, we will need to change the build and sign process for Windows binaries.
1, keep the process more or less the same but some changes to the build scripts will be required to use the pkcs 11 library. I am not sure how to approach this solution my knowledge of compiled languages is limited.
2, move the Windows build and sign process to the AWS Windows instances, this will require some refactoring on the build side and new ansible roles in fedora-infra. I can help here with provisioning the machine and ansible changes. This will use MS sign tool