update release instructions

OWASP · Dec 5, 2024 · d66207d · d66207d
1 parent f737731
commit d66207d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -157,11 +157,10 @@ jobs:
         run: npm clean-install
 
       - name: Build Windows executable
+        # code signing using Extended Verification (EV) open source certificate
+        # must be done using a hardware key
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # code signing using Extended Verification (EV) open source certificate
-          CSC_KEY_PASSWORD: ${{ secrets.WINDOWS_OSS_CERT_PASSWORD}}
-          CSC_LINK:  ${{ secrets.WINDOWS_OSS_CERT }}
         run: npm run build:desktop -- --windows --publish always
 
       - name: Save SBOM artifact

diff --git a/release-process.md b/release-process.md
@@ -182,7 +182,20 @@ Use commands to refresh creds:
 * `snapcraft login`
 * `snapcraft export-login --snaps threat-dragon --channels stable`
 
-The snapcraft username is 'threat-dragon' and it has an Ubuntu One password.
+The snapcraft username is 'threat-dragon' and uses an Ubuntu One password.
+
+### Code signing Windows installer
+
+If the certificate needs to be provided in Base64 :
+
+```text
+openssl pkcs12 -export -in WINDOWS_OSS_CERT.pem -nokeys -out WINDOWS_OSS_CERT.p12 -passout pass:<password>
+openssl pkcs12 -info -in  WINDOWS_OSS_CERT.p12 -passin pass:<password>
+base64 -i WINDOWS_OSS_CERT.p12 -o WINDOWS_OSS_CERT.p12.b64
+```
+
+The use of the pipeline for code signing is not practical for this open source project
+because of the need for a private key in the keychain, so use the certificate issuer's utilities.
 
 ### Update release notes