Skip to content

Commit

Permalink
Add signing instructions and icon
Browse files Browse the repository at this point in the history
  • Loading branch information
@vsalvino
vsalvino committed Oct 13, 2022
1 parent 8fd68a2 commit c9fcef6
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 1 deletion.
30 changes: 29 additions & 1 deletion CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ Publishing

The Azure Pipeline will generate python packages (source dist, wheel) and binaries for Windows, macOS, and Linux.

Download the dist artifact from the tagged release run of [the pipeline](https://dev.azure.com/coderedcorp/cr-github/_build?definitionId=17), and upload the files to GitHub when publishing a release.
Download the dist artifact from the tagged release run of [the pipeline](https://dev.azure.com/coderedcorp/cr-github/_build?definitionId=17), sign them with our certificate (if applicable), and upload the files to GitHub when publishing a release.

### On PyPI

Expand All @@ -91,3 +91,31 @@ $ pyinstaller --clean --dist ./dist/bin/ ./cr.spec
```

NOTE: macOS binaries will require special security permissions to run since we currently do not have code signing in place.


Code Signing Certificate
------------------------

Certificate was purchased from: https://SignMyCode.com. Go here to renew, reissue, or revoke it.

### Windows

To sign the PyInstaller binaries on Windows, make sure the Windows SDK is installed (i.e. install [Visual Studio Build Tools](https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2022) then select "Desktop Development with C++"). This is required to get [signtool](https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe)

First, convert the certificate + private key into a PFX file:

```
openssl pkcs12 -export -in .\CERTIFICATE.crt -inkey .\PRIVATE_KEY.pem -out codered.pfx
```

Next, open the "Developer PowerShell" or "Developer Command Prompt" and sign the binary using the PFX file and its password. When signing, also timestamp it using Sectigo's server.

```
signtool sign /f .\codered.pfx /p "password" /fd certHash /td certHash /tr "http://timestamp.sectigo.com" .\cr.exe
```

The `cr.exe` binary is now signed.

### macOS

Currently in the process of being verified by Apple.
1 change: 1 addition & 0 deletions cr.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ exe = EXE(
a.datas,
[],
name="cr",
icon="icon/cr.ico",
debug=False,
bootloader_ignore_signals=False,
strip=False,
Expand Down
Binary file added icon/cr.ico
View file
Binary file not shown.
Binary file added icon/cr.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit c9fcef6

Please sign in to comment.