chore!: replace upcoming expiring windows codesigning certificate

[hiento09]

Issue: Expiring Windows Code Signing Certificate

Given that our Windows code signing certificate will expire on November 23rd, we need to address this by replacing the current certificate with the new Windows code signing certificate we purchased in June this year.

Potential Impact:

The Windows auto-updater may crash due to the certificate change. However, we already have a pop-up notification in place instructing users to download manually if the updater crashes.

Discussion Points:

• The certificate will expire on November 23rd. I propose that we replace it now, ensuring that we have at least 2 to 3 versions using the new certificate. If we wait until the expiration date, users downloading and installing the latest versions might encounter a warning about the expired certificate.

• macOS is currently using a certificate under Jan's name. Should we consider switching the macOS certificate to one under Homebrew’s name as well?

How do you all think about this? @dan-homebrew @0xSage @louis-jan @imtuyethan @urmauur @gabrielle-ong

[0xSage]

The Windows auto-updater may crash due to the certificate change. However, we already have a pop-up notification in place instructing users to download manually if the updater crashes.

This is what's scary.

1. How many users do we anticipate will need to manually download? Big difference btw 10% vs 80%
2. Can I see the popup design?
3. @imtuyethan have we QA'ed whether the manual installation flow works (for 3 OSes)?

[hiento09]

@0xSage I attached old ticket and PR here https://github.com/janhq/jan/issues/2241 https://github.com/janhq/jan/pull/2261

[dan-homebrew]

@hiento09 Let's go ahead with this

[dan-homebrew]

@hiento09 Can I check on 3 things:

• Is it possible to renew the current Windows codesign certificate? (i.e. do we need to go through this exercise every year?)
• Jan AI Pte Ltd and Homebrew Computer Company Pte Ltd are the same company, and both names are valid.
• If there is no need to change the certificate, I would prefer to renew under Jan AI Pte Ltd

[hiento09]

@hiento09 Can I check on 3 things:

• Is it possible to renew the current Windows codesign certificate? (i.e. do we need to go through this exercise every year?)

• Jan AI Pte Ltd and Homebrew Computer Company Pte Ltd are the same company, and both names are valid.

• If there is no need to change the certificate, I would prefer to renew under Jan AI Pte Ltd

@dan-homebrew I will try to request a certificate renewal on GlobalSign; however, since we have renamed the profile from ‘jan’ to ‘homebrew’ on GlobalSign, I am not 100% sure it will succeed. I will update you after attempting the renewal request.

[hiento09]

There are three potential approaches to resolve the issue:

Approach 1: Customize the electron-builder updater

• Test the electron builder option: "verifyUpdateCodeSignature": false to see if it resolves the issue.
• Alternatively, explore custom updater options to handle this problem.

Approach 2: Follow Option B as guided here: https://github.com/electron-userland/electron-builder/issues/6499

This requires testing in a new environment. I will use the beta channel to test if this solution works.

• Mint a new release using the old certificate but update the config to include the new publisher name:

  win: {
  icon: 'build/win/icon.ico',
  publisherName: [
    'Homebrew',  // new name
    'Jan'        // old name
  ]
  }
  

• Wait a month for all users to upgrade?

• After that, mint a new version, swapping the signing certificates.

Approach 3: Rip it out!

• Simply change the certificate and publisher name.
• This approach will cause the auto-updater to fail for existing users (who will need to update manually), but new users will not be affected.