Migrate Code Signing from DigiCert to Azure Trusted Signer#5809
Merged
username-is-already-taken2 merged 20 commits intomainfrom Aug 6, 2025
Merged
Migrate Code Signing from DigiCert to Azure Trusted Signer#5809username-is-already-taken2 merged 20 commits intomainfrom
username-is-already-taken2 merged 20 commits intomainfrom
Conversation
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
…alled Signed-off-by: Gary Bright <gary@mondoo.com>
…en done using ansible Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
…shing them Signed-off-by: Gary Bright <gary@mondoo.com>
username-is-already-taken2
force-pushed
the
gary/change-windows-signing
branch
from
b9128e7 to
fa397fc
Compare
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
Signed-off-by: Gary Bright <gary@mondoo.com>
username-is-already-taken2
changed the title
Signed-off-by: Gary Bright <gary@mondoo.com>
username-is-already-taken2
force-pushed
the
gary/change-windows-signing
branch
from
2d03d35 to
907948d
Compare
username-is-already-taken2
temporarily deployed
to
prod
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR updates the Windows file signing process from DigiCert to Azure Trusted Signer.
Key Changes
Removed redundant tasks: Some tasks became unnecessary after switching to Azure and were removed to simplify the workflow.
Azure-specific tasks: Added new tasks to handle authentication required for jsign to work with Azure.
Task conditionals update: During development, some task inputs changed to booleans, breaking existing conditionals. These have been updated accordingly.
Goreleaser upgrade attempt:
Attempted to upgrade goreleaser, which worked for most targets.
However, the resulting RPM signatures were invalid, so we’ve remained pinned to version 2.5.1.
Comments were added in the code to clarify this limitation.
Workflow Improvements
New inputs were added to the workflow_dispatch to aid with troubleshooting:
use-test-cert: Signs the binary using our test certificate (not publicly trusted).
goreleaser-snapshot: Enables snapshot mode in goreleaser, bypassing tag checks so you can build from any commit.
upload-artifacts: Uploads binaries to the workflow run—useful for inspecting outputs when not publishing.