amoeba commented on issue #49404: URL: https://github.com/apache/arrow/issues/49404#issuecomment-4064456758
I did a test signing today with jsign to confirm everything from ASF infra is set up. It was just a single `jsign` command as indicated in https://github.com/apache/arrow/pull/48934#discussion_r2776106274 and it works with SmartScreen as expected. I think we need a few more things here: 1. Since both the .DLL and the final .MSI need to get signed (two steps), the `odbc-msvc` job needs to be modified to upload the raw materials for the installer (as many files as needed so `cpack` will run) and the later steps in that workflow may need to be tweaked. 2. We should investigate static linkage on Windows. The driver uses shared linkage on Win32 and, from my understanding of SmartScreen, we may have to sign all the DLL dependencies (which we don't want to do since each signing costs money). Right now, `arrow_flight_sql_odbc.dll` is dynamically linked to `{arrow,arrow_compute,arrow_flight,arrow_flight_sql}.dll`. Can we investigate static linkage (i.e., make `arrow_flight_sql_odbc.dll` only depend on system deps) @alinaliBQ? 3. Modify `04-binary-download.sh` to download the raw WiX installer artifacts instead of the MSI 4. Modify `05-binary-upload.sh` to jsign the `arrow_flight_sql_odbc.dll` inside the WiX installer artifacts dir, build the installer, and jsign the installer. Both the jsign command and WiX are hard for existing release managers to run (jsign requires credentials and WiX is Windows only). We should talk about the best way to integrate this into the release process and whether a separate step should be added. I did a quick research into reproducible builds for Windows .DLL and .MSI and my initial findings weren't that promising but I think more research could be done here. @raulcd @kou what do you think about having a manual step that requires setup and Windows in the release process? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
