Release OpenScreen 1.4.1
This commit is contained in:
huanld
@@ -0,0 +1,84 @@
|
||||
# Windows Private Trust Signing
|
||||
|
||||
OpenScreen supports Microsoft Trusted Signing private trust profiles for Windows
|
||||
builds. Secrets and signing resource names are read from environment variables;
|
||||
no certificate, client secret, or API key should be committed.
|
||||
|
||||
For a local signing machine, copy `.env.signing.example` to
|
||||
`.env.signing.local` and fill in values there. `.env.signing.local` is ignored
|
||||
by Git. Explicit shell environment variables override values in that local file.
|
||||
|
||||
## Required Azure Resource Variables
|
||||
|
||||
Set these values for the Trusted Signing account and certificate profile:
|
||||
|
||||
```powershell
|
||||
$env:AZURE_TRUSTED_SIGNING_ENDPOINT = "https://<region>.codesigning.azure.net/"
|
||||
$env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME = "<trusted-signing-account-name>"
|
||||
$env:AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME = "<private-trust-profile-name>"
|
||||
$env:AZURE_TRUSTED_SIGNING_PUBLISHER_NAME = "<certificate-common-name>"
|
||||
```
|
||||
|
||||
`AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME` must point to a certificate
|
||||
profile created with the `PrivateTrust` profile type.
|
||||
|
||||
## Required Azure Auth Variables
|
||||
|
||||
Electron Builder uses Azure environment credentials. Set the tenant and client:
|
||||
|
||||
```powershell
|
||||
$env:AZURE_TENANT_ID = "<tenant-id>"
|
||||
$env:AZURE_CLIENT_ID = "<app-registration-client-id>"
|
||||
```
|
||||
|
||||
Then set one authentication mode. Service principal secret is the simplest for
|
||||
local signing:
|
||||
|
||||
```powershell
|
||||
$env:AZURE_CLIENT_SECRET = "<client-secret>"
|
||||
```
|
||||
|
||||
Certificate auth is also supported:
|
||||
|
||||
```powershell
|
||||
$env:AZURE_CLIENT_CERTIFICATE_PATH = "C:\secure\signing-auth.pfx"
|
||||
$env:AZURE_CLIENT_CERTIFICATE_PASSWORD = "<pfx-password>"
|
||||
```
|
||||
|
||||
## Sign Existing Installer
|
||||
|
||||
This signs the installer already built at
|
||||
`release/<version>/Openscreen Setup <version>.exe`:
|
||||
|
||||
```powershell
|
||||
npm run sign:win:private-trust
|
||||
```
|
||||
|
||||
To sign a specific file:
|
||||
|
||||
```powershell
|
||||
npm run sign:win:private-trust -- --file "D:\Code\OpenScreen\release\1.4.0\Openscreen Setup 1.4.0.exe"
|
||||
```
|
||||
|
||||
## Build And Sign
|
||||
|
||||
This signs the packaged app executable, bundled OCR service executable, and NSIS
|
||||
installer during the Windows build:
|
||||
|
||||
```powershell
|
||||
npm run build:win:private-trust
|
||||
```
|
||||
|
||||
The regular `npm run build:win` remains unsigned for local development builds.
|
||||
|
||||
## Verification
|
||||
|
||||
After signing:
|
||||
|
||||
```powershell
|
||||
Get-AuthenticodeSignature "release\1.4.0\Openscreen Setup 1.4.0.exe" | Format-List
|
||||
```
|
||||
|
||||
Private trust signatures are valid only on machines that trust the private trust
|
||||
certificate chain/publisher. For public downloads that must be trusted on any
|
||||
Windows machine, use a public trust certificate profile instead.
|
||||
Reference in New Issue
Block a user