-
Notifications
You must be signed in to change notification settings - Fork 68
Code Signing InVEST Installation Media
- InVEST Windows Installers version 3.8.0 and later
- InVEST DMGs version for 3.9.0 and later
Assuming everything is working, installers and disk images on the main natcap/invest
repository are all automatically signed as a part of the regular Github Actions binary build workflows.
When a certificate is revoked (as it was in January, 2021), the revocation will also prevent Gatekeeper (Mac OS) and SmartScreen (Windows) from opening the installers. The only known way around this is to re-sign the installation media.
-
Download the current certificate (
.pfx
or.p12
) and retrieve the password. -
Download the InVEST installer to sign
-
Execute the following
signtool.exe
calls to re-sign and re-timestamp the binary:signtool.exe sign /f "<path to certificate>" /p "<certificate password>" <path to InVEST installer> signtool.exe timestamp -t http://timestamp.sectigo.com <path to InVEST installer>
For me,
signtool.exe
is located atC:\Program Files (x86)\Windows Kits\10\App Certification\signtool.exe
. If that doesn't work for you, try running afind "C:\Program Files (x86)" -name "signtool.exe"
, as the binary might have moved.See this help page about why timestamping matters.
-
Upload the re-signed installer file to the target distribution locations:
- Google Cloud
- The Github Release for this version
-
Repeat for each affected version of InVEST
The codesign
binary may require XCode developer tools.
-
Download the
.pfx
or.p12
certificate file and retrieve the certificate password -
Double-click the certificate to install it to your local key store. You'll need to enter the certificate password to do so. The key will be identified in your key store as
"Stanford University"
-
Download the InVEST DMG to sign.
-
Execute the following command to re-sign the binary:
codesign --force --verbose --sign "Stanford University" <path to InVEST DMG>
The
--force
is needed to overwrite the existing signature. -
Upload the re-signed DMG to the target distribution locations:
- Google Cloud
- The Github Release for this version
-
Repeat for each affected version of InVEST