Hi All, I wanted to ask how the NetBeans project might be able to access Windows and macOS code signing via GitHub Actions, if reproducible builds are not an option?
For context, I asked Mark about this yesterday and he suggested I follow up here. We've previously corresponded about certificates as I've had use of the foundation's Windows and macOS certificates for release managing NetBeans in the past. Since 2021 I have also released NetBeans packages externally that bundle a JDK. As of Spring 2025 the NetBeans project discontinued release of installers without a JDK at ASF. Partly for technical reasons, partly for capacity reasons. Currently the only installers we link to are the ones I provide personally. We've been asked a number of times within and outside the foundation whether we might bring the ASF installers back. Realistically, to even consider that we would need to change how they're delivered and automate it. The NetBeans project releases its own packaging tool (NBPackage) that builds installers from an IDE or platform zip using native tools and optional Java runtime. This has to run on the target OS, and have access to code signing where needed (on mac it has to deep sign native binaries even inside JAR files). The workflow I use for my installer builds [1] downloads the NetBeans and NBPackage binary releases from ASF, builds the installers, and uploads to the workflow or a draft release. It logs and verifies hashes through stages from inputs to outputs. While the process is not, and is unlikely to ever be, reproducible it does at least provide a single log that offers a receipt and "proof" of how any particular package was built. So, my question is whether we could potentially bring a similar process into a separate workflow repository here? Unlike using manual, local builds, we would have a process that is both automated and can be properly code reviewed from beginning to end. The release manager(s) would still have to download, verify and gpg sign each artefact before distribution. Alongside potentially verifying, signing and distributing the log itself. Thanks for your thoughts. Best wishes, Neil [1] https://github.com/codelerity/netbeans-packages --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
