Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pivot Release for Core Signing Cert change (macOS) #2453

Merged
merged 33 commits into from
Jul 28, 2020
Merged

Pivot Release for Core Signing Cert change (macOS) #2453

merged 33 commits into from
Jul 28, 2020

Conversation

gschier
Copy link
Contributor

@gschier gschier commented Jul 27, 2020
edited
Loading

Related #2451

This PR whitelists Kong's Apple Signing certificate so we can release an update with the new cert later. Electron's built-in updater (Squirrel) will reject the update if next release is signed with a different certificate.

Migration Stages

  1. Release next update with configuration to whitelist new certificate
  2. Wait long enough until everyone has upgraded to the newest version (probably a couple months).
  3. Sign a new release with new certificate and delete whitelist logic

  1. Create a "pivot" release that whitelists both certs (this PR does that)
  2. Make auto-updater force all updates to go through pivot release (can't skip straight to newest)
  3. Sign a new release with new certificate and delete whitelist logic (signing-requirements.txt)

Exploration

  • Figure out macOS "requirements" definition to whitelist new cert
  • Release pivot and final version to beta channel
    • Test that update fails from current release to final
      • [updater] Error: Code signature at URL file:///Users/$USER/Library/Caches/com.insomnia.app.ShipIt/update.fhG0QgI/Insomnia.app/ did not pass validation: code failed to satisfy specified code requirement(s)
    • Test that update succeeds from pivot release to final
    • Test that update succeeds from current to pivot

Resources


Calculating H"..." value for signing-requirements.txt

The instructions provided in the StackOverflow Answer didn't specify how to calculate the SHA1 to whitelist the new certificate, so here are the commands used, for reference.

# Extract certificates from final build installation (ie. contains the certs we want to migrate to)
codesign -d --verbose=8 -r - --extract-certificates /Applications/Insomnia.app

# Compute SHA1 of certificate for use in signing-requirements.txt
shasum codesign0

@gschier
Upgrade Electron to 8, bump Node version, fix font-manager
5da2ccf
@gschier
Specify nodeIntegration as true
7eb3514
@gschier
Get <webview> working again
eab2a58
@gschier
Get <webview> working again
0d220e3
@gschier
Merge branch 'deps/upgrade-electron' of github.com:Kong/insomnia into…
2a7c4f3 
… deps/upgrade-electron
@gschier
Electron 9.0
b331bc6
@gschier
Merge branch 'develop' of github.com:Kong/insomnia into deps/upgrade-…
37d9c07 
…electron
@gschier
Escape parens in plugin install exec path (newer Electron added them)
510d014
@gschier
Bump versions for first alpha
5ef57ec
@gschier
Electron 9.1
e73e2c0
@gschier
Convert all Electron APIs that switched from callback to Promise
aae9bba
@gschier
Merge branch 'develop' of github.com:Kong/insomnia into deps/upgrade-…
fc13dff 
…electron
@gschier
Fix send-and-download feature
78b3e24
@gschier
Remove user-agent override hack for OAuth 2 login window
3b26faf
@gschier
Bump alpha version
7dc6663
@gschier
Merge branch 'develop' of github.com:Kong/insomnia into deps/upgrade-…
2eebd0b 
…electron
@gschier
Fix issue regarding chokidar
41caa64
@gschier
Add package-lock.json
4c76b73
@gschier
Upgrade chokidar because @babel/cli uses an older incompatible versio…
fb2b536 
…n of fsevents
@gschier
Fix source maps
19db417
@gschier
Read .nvmrc in GitHub actions
7b2c093
@gschier
Address remaining PR feedback
55c9ff9
@gschier
Use Designer release env for Core
5481117
@gschier
Merge branch 'deps/upgrade-electron' into dist/mac-signing
d2c3b06
@gschier
Bump version
4f7bdc4
@netlify
Copy link

netlify bot commented Jul 27, 2020
edited
Loading

Deploy preview for insomnia-storybook ready!

Built with commit 905f5bc

https://deploy-preview-2453--insomnia-storybook.netlify.app

@gschier gschier changed the title Core Mac Signing Migration Pivot Release for Core Signing Cert change (macOS) Jul 28, 2020
@gschier gschier marked this pull request as ready for review July 28, 2020 21:01
DMarby
DMarby approved these changes Jul 28, 2020
View reviewed changes
Copy link
Contributor

@DMarby DMarby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 🎉

@gschier gschier merged commit c5283ab into develop Jul 28, 2020
@gschier gschier deleted the dist/mac-signing branch July 28, 2020 21:11
@gschier gschier mentioned this pull request Jul 28, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DMarby DMarby DMarby approved these changes

@develohpanda develohpanda Awaiting requested review from develohpanda

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gschier @DMarby