Draft
Conversation
Add signing workflow for Windows, macOS, and Linux binaries to address antivirus false positives (Norton quarantining Publisher). Signing approach: - Windows: Authenticode via osslsigncode with timestamping - macOS: codesign with Developer ID and hardened runtime - Linux: GPG detached signatures (.sig files) Updated workflows to include signing step: - main.yaml - nightly.yaml - publish.yaml - pull-request.yaml - release.yaml Required secrets: - WINDOWS_SIGNING_CERT / WINDOWS_SIGNING_CERT_PASSWORD - MACOS_SIGNING_CERT / MACOS_SIGNING_CERT_PASSWORD - LINUX_SIGNING_KEY / LINUX_SIGNING_KEY_PASSPHRASE Fixes #3484 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a verify-org-membership job that checks the triggering user is a member of the posit-dev organization before allowing code signing to proceed. All signing jobs now depend on this verification. Requires a new ORG_READ_TOKEN secret with read:org scope. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add `set +x` to all steps handling secrets to prevent debug output - Use `::add-mask::` for dynamically generated keychain password - Use file-based password passing instead of command-line args: - osslsigncode: -readpass instead of -pass - gpg: --passphrase-file instead of --passphrase-fd 0 - Redirect stderr to /dev/null for commands that might leak sensitive info - Filter osslsigncode output to exclude password-related strings - Clean up sensitive temp files after use Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signing should only occur on main branch builds (tagged releases and nightly prereleases), not on pull requests. This prevents secrets from being exposed to fork PRs and ensures signing is reserved for trusted builds. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add signing workflow for Windows, macOS, and Linux binaries to address antivirus false positives (Norton quarantining Publisher).
Signing approach:
Updated workflows to include signing step:
Required secrets:
Fixes #3484
Intent
Type of Change
Approach
User Impact
Automated Tests
Directions for Reviewers
Checklist