Hi Mark, Thanks for your reply.
On Wed, 25 Mar 2026 at 09:47, Mark Thomas <[email protected]> wrote: > Is is realistic for the RM (and other PMC members) to build the releases > locally without code signing? If not, this gets a lot harder - maybe > even impossible. Yes, with the right tools installed on the machine. Swift compiler, Xcode, InnoSetup, etc. *If* using a workflow similar to the external one I shared in my first message, then this would involve checking out that repo, and running the Java source file with the right arguments - eg. java Exec.java build windows x64 innosetup The work here would likely have to spread around, as only a few of us have access to all 3 OS required to test all. > Is that process reproducible (given no code signing, the same OS, same > JDK and same .zip distribution)? If not, how much work is it to make it > reproducible? Not right now, and a little unknown. Some tweaks might be required in our packaging tool, although without code signing the most likely problem area wouldn't be hit. The biggest issue would be changes in configuration for execution of the third-party tools, and the extent to which they can be made reproducible. It's not been a priority because running without code signing is only generally of use for testing purposes. > Which tool are you using for Windows code signing? JSign? Historically we used a few things, including JSign, for ASF installers. The linked workflow used for the external installers currently uses Azure Artifact Signing. That would be an option I think would be great to see at ASF too. It's using their GH Action at the moment, but I'm looking at using with Signtool, and it might be possible to use with JSign - not checked. > I know JSign can remove Windows signatures and it looks like Apple > signing tools can remove signatures too so I am thinking of a process > something along the lines of ... OK, this is where I think we might run into issues. Firstly, on Windows it should be feasible to remove the outer signature on the installer. This will still not match if inner files are signed. I'm not sure if there's a way to extract the package without installing anymore, but any installed files that do not match the zip can be unsigned and checked. However, the wrapping .exe may remain something of an unknown. On macOS, extraction of the installer archive for verification is easier. However, I am not sure that removing the signature is a viable process. The information I've read seems currently a bit hazy on what changes applying the hardened runtime does, and whether that is fully reversible. I'll do some checking next time I fire up the mac to see if I can reliably remove a signature and end up with the input file. We can currently binary diff the installed payload against the released ASF zip with 98-99% accuracy. Certificate removal on a few constituent parts gets us a little more accuracy. But unless you can reproduce each part layer by layer from bottom to top, with the signed parts inside, and assuming all stages are actually reproducible anyway, I'm not sure this proves the payload installer is reproducible? Thanks and best wishes, Neil --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
