request for update version of osslsigncode

amake / innosetup-docker

Docker image to create Windows installer executables with Inno Setup

https://hub.docker.com/r/amake/innosetup

Creative Commons Zero v1.0 Universal

71 stars 32 forks source link

request for update version of osslsigncode #13

Closed miurahr closed 11 months ago

miurahr commented 12 months ago

Current version of osslsigncode is 1.7.1.

As you know CA/Browser forum, an industry standard body, changes its policy for certificate of signing code recent day. Starting June 1, 2023, it is mandatory for private keys associated with code signing certificates to be protected using a Hardware Crypto Module that complies with either FIPS 140-2 Level 2 or Common Criteria EAL 4+ requirements.

osslsigncode 2.5 and later can support a new case which HSM has both private key and certification files.

We need to build the binary and install to container. see https://github.com/mtrojnar/osslsigncode

It is also necessary to access a hardware security module in host from container.

amake commented 11 months ago

Debian Bookworm appears to be the first distro with osslsigncode 2.5: https://packages.debian.org/bookworm/osslsigncode

I've updated amake/innosetup (tags latest, innosetup6, 64bit) to Debian Bookworm with osslsigncode 2.5.

It is also necessary to access a hardware security module in host from container.

This I'm not sure what to do about.

Note that I consider the inclusion of osslsigncode in this image to be a convenience; the focus is not on osslsigncode but rather on Inno Setup, so I'm not planning on doing any specific work on this.

amake commented 11 months ago

The new images are much larger than before, and seem to be causing problems (#14).

Unless someone can offer a quick fix, I'm leaning toward reverting the changes. In that case I would reject this ticket and say that osslsigncode is provided merely as a convenience; if you need a particular version then you should supply it yourself.

miurahr commented 11 months ago

Thank you for investigation and trials. It is ok to reject here because I can supply it with simple Debian Bookworm container.

amake commented 11 months ago

I've made the following changes:

amake/innosetup:latest is Debian Buster, InnoSetup 6, 32bit
amake/innosetup:innosetup6 is Debian Buster, InnoSetup 6, 32bit
amake/innosetup:innosetup6-buster is Debian Buster, InnoSetup 6, 32bit
amake/innosetup:innosetup6-bookworm is Debian Bookworm, InnoSetup 6, 32bit
amake/innosetup:64bit is Debian Buster, InnoSetup 6, 64bit
amake/innosetup:64bit-buster is Debian Buster, InnoSetup 6, 64bit
amake/innosetup:64bit-bookworm is Debian Bookworm, InnoSetup 6, 64bit

If you would like to use the newer osslsigncode, then please use amake/innosetup:*-bookworm. Note that the Bookworm images are much larger (1.44 GB vs 491 MB for 32bit, 2.93 GB vs 769 MB for 64bit).