Closed miurahr closed 11 months ago
Debian Bookworm appears to be the first distro with osslsigncode 2.5: https://packages.debian.org/bookworm/osslsigncode
I've updated amake/innosetup (tags latest
, innosetup6
, 64bit
) to Debian Bookworm with osslsigncode 2.5.
It is also necessary to access a hardware security module in host from container.
This I'm not sure what to do about.
Note that I consider the inclusion of osslsigncode in this image to be a convenience; the focus is not on osslsigncode but rather on Inno Setup, so I'm not planning on doing any specific work on this.
The new images are much larger than before, and seem to be causing problems (#14).
Unless someone can offer a quick fix, I'm leaning toward reverting the changes. In that case I would reject this ticket and say that osslsigncode is provided merely as a convenience; if you need a particular version then you should supply it yourself.
Thank you for investigation and trials. It is ok to reject here because I can supply it with simple Debian Bookworm container.
I've made the following changes:
amake/innosetup:latest
is Debian Buster, InnoSetup 6, 32bitamake/innosetup:innosetup6
is Debian Buster, InnoSetup 6, 32bitamake/innosetup:innosetup6-buster
is Debian Buster, InnoSetup 6, 32bitamake/innosetup:innosetup6-bookworm
is Debian Bookworm, InnoSetup 6, 32bitamake/innosetup:64bit
is Debian Buster, InnoSetup 6, 64bitamake/innosetup:64bit-buster
is Debian Buster, InnoSetup 6, 64bitamake/innosetup:64bit-bookworm
is Debian Bookworm, InnoSetup 6, 64bitIf you would like to use the newer osslsigncode, then please use amake/innosetup:*-bookworm
. Note that the Bookworm images are much larger (1.44 GB vs 491 MB for 32bit, 2.93 GB vs 769 MB for 64bit).
Current version of
osslsigncode
is 1.7.1.As you know CA/Browser forum, an industry standard body, changes its policy for certificate of signing code recent day. Starting June 1, 2023, it is mandatory for private keys associated with code signing certificates to be protected using a Hardware Crypto Module that complies with either FIPS 140-2 Level 2 or Common Criteria EAL 4+ requirements.
osslsigncode
2.5 and later can support a new case which HSM has both private key and certification files.We need to build the binary and install to container. see https://github.com/mtrojnar/osslsigncode
It is also necessary to access a hardware security module in host from container.