Help Wanted: Document how to codesign a build with you own certificates

[matterdoc]

Context

The Mattermost Product Documentation doesn't currently include details on how to code sign a build with a user's own certificates.

Code signing is the process of digitally signing software to verify the author's identity and ensure the code hasn't been altered since it was signed. It involves creating a digital signature using a private key and a hash of the code, then attaching this signature and a digital certificate to the software.

Benefits

• Reduces security warnings from operating systems.
• Ensures smoother and more trustworthy installations.

Process Outline

1. Generate a hash of the code.
2. Sign the hash with a private key, creating a digital signature.
3. Attach the signature and digital certificate to the software.
4. Verification: When run, the software's signature is checked using a public key to confirm authenticity and integrity

Documentation Request

Document how to code sign a build with you own certificates for a custom Mattermost build. Include process steps for all supported platforms, including: Windows, Mac, and Linux.

Here's a step-by-step guide on how to code sign a custom Mattermost build with your own certificates for Windows, Mac, and Linux as noted below.

General note for all platforms:

Ensure you follow each operating system's guidelines and best practices for signing applications to maintain security and trustworthiness for your custom Mattermost build.

Windows

Prerequisites:

1. Code Signing Certificate: Either purchase one from a Certificate Authority (CA) or use a self-signed certificate if appropriate.
2. SignTool: This is part of the Windows SDK.

Steps:

1. Install SignTool: Install the Windows SDK to get the SignTool utility.
2. Obtain a Code Signing Certificate:
   • Purchase or create a certificate (.pfx file) via a CA.
3. Import the Certificate:
   • Open the .pfx file and follow the steps to import it into the Windows Certificate Store.
4. Sign the Executable:
   • Open the command prompt as Administrator.
   • Use the SignTool to sign your executable:

     signtool sign /v /s "My" /sha1 <cert hash> /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 <path-to-your-executable>

Mac

Prerequisites:

1. Developer ID Application Certificate: Purchase one from Apple (requires an Apple Developer account).
2. Xcode: Make sure you have Xcode installed.

Steps:

1. Obtain a Code Signing Certificate:

   • Go to Apple Developer account, create a Developer ID Application certificate, and download it.

2. Import the Certificate:

   • Double-click the certificate to import it into the Keychain.

3. Sign the Application:

   • Use the codesign tool, which comes with Xcode, to sign your application:

     codesign --deep --force --verify --verbose --sign "Developer ID Application: Your Name (TeamID)" /path/to/your.app

4. [Optional] Verify the Signature:

   • Verify the signature to ensure everything is correctly signed:

     spctl --assess --verbose=4 /path/to/your.app
     codesign -dv --verbose=4 /path/to/your.app

Linux

Prerequisites:

1. GPG Key: Create a GPG key if you don't have one.
2. GnuPG: Install GnuPG if not already installed.

Steps:

1. Create or Import Your GPG Key:

   • If you don't already have a GPG key, create one:

     gpg --full-generate-key

   • Import an existing GPG key, if you have one:

     gpg --import /path/to/your-key.asc

2. Sign the Package:

   • Use dpkg-sig to sign a Debian package:

     dpkg-sig --sign builder your-package.deb

   • Use rpmsign to sign an RPM package:

     rpmsign --addsign your-package.rpm

3. Verify the Signature:

   • Verify the signature of a .deb package:

     dpkg-sig --verify your-package.deb

   • Verify the signature of an .rpm package:

     rpm --checksig your-package.rpm

Summary:

• Windows: Use SignTool from the Windows SDK with your imported code signing certificate.
• Mac: Use codesign and spctl tools from Xcode with your Apple Developer ID certificate.
• Linux: Use GnuPG to create/sign with your GPG key, dpkg-sig for .deb packages, and rpmsign for .rpm packages.

[Lorem703]

I am a beginner in open source and would like to contribute to this issue. Pl assign this issue

[justinegeffen]

Hi @Lorem703! Thank you for your interest in this issue. I have assigned it to you as requested. :) Please let me know if you have any questions.

[yash2189]

Hello is this issue still available to work on ? As I am new to opensource and I would like to contribute to the documentation part of mattermost/docs. Thanks

[justinegeffen]

Hi @yash2189. Thanks for your offer! @Lorem703, are you currently working on this? :)

[yash2189]

@justinegeffen Is this issue resolved or can it be taken?

[justinegeffen]

Hi @yash2189. It has not yet been resolved so I am happy to reassign it to you and take it off @Lorem703's plate. @Lorem703, thank you for your offer to take this on. Looking forward to working with you in the future! :)

[yash2189]

@justinegeffen I wish to contribute to this issue post the Hacktoberfest if that is fine?

[cwarnermm]

@Willyfrog - I'm unable to access the original Mattermost thread and context behind this docs request. Can you summarize the request here, please?

[Willyfrog]

I'm unable to access the original Mattermost thread and context

That's weird as that thread is in a public channel.

What needs to be documented is the process to codesign a build with you own certificates in case someone wants to do a custom build.

[yesbhautik]

@cwarnermm Assign me, let's do it!