Windows AMI: install the root certificate used for signing UWP builds

servo / taskcluster-config

Taskcluster configuration for Servo

1 stars 2 forks source link

Windows AMI: install the root certificate used for signing UWP builds #21

Closed SimonSapin closed 4 years ago

SimonSapin commented 4 years ago

r? @paulrouget

I’ve tried running windows_uwp_x64 from https://github.com/servo/servo/pull/25745 with this image but it failed with error 0x800B0100: The app bundle must be digitally signed for signature validation. Maybe https://github.com/servo/servo/pull/25661 is also needed?

I’ve deployed the image anyway (since other than signing it seems good), so you should be able to do the usual @bors-servo try=windows in PRs and hopefully have the cert installed globally.

SimonSapin commented 4 years ago

I’ve reverted the deployment to the previous AMI because the public .pfx file also contains a private key, so this particular certificate is compromised. Let’s discuss a way forward in https://github.com/servo/servo/pull/25661.

SimonSapin commented 4 years ago

Alright, this PR now contains a script that generates a new certificate with the openssl command-line and keeps it in Taskcluster’s Secrets service. I’ve deployed a new Windows image with that certificate installed system-wide. We’ll likely need some additional changes in servo/servo to use that cert.