You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently currently sign files in https://www.influxdata.com/downloads/ with a detached signature (.asc file) for pgp/gpg to verify. This is all fine.
Only the telegraf Windows binary (PE executable) is signed using Microsoft code-signing (eg, authenticode). See:
We aren't currently doing this for InfluxDB (1.x, 2.x or 3.x). Eg, if I unzip the influxdb2-2.7.11-windows.zip I see:
$ osslsigncode extract-signature ./influxd.exe ./out
PE file does not have any signature: ./influxd.exe
Failed
[255]
Adding PE signing to all downloadable executables for Windows would reduce barriers to entry for people using them in certain environments (eg, some site-specific security policies require binaries signed in the manner). The proper way to do this is to update https://github.com/influxdata/code-sign (private repo) to support PE signing (eg, in addition to detached signature, apt InRelease files and rpm signing) and then adjust the InfluxDB CircleCI jobs for 1.x, 2.x and 3.x to send the windows binary to be signed (similar to how we do rpm). Once that is done, it should be trivial to adjust all the different projects to start using this and migrate telegraf to it.
We currently currently sign files in https://www.influxdata.com/downloads/ with a detached signature (.asc file) for pgp/gpg to verify. This is all fine.
Only the
telegrafWindows binary (PE executable) is signed using Microsoft code-signing (eg, authenticode). See:We aren't currently doing this for InfluxDB (1.x, 2.x or 3.x). Eg, if I unzip the influxdb2-2.7.11-windows.zip I see:
Adding PE signing to all downloadable executables for Windows would reduce barriers to entry for people using them in certain environments (eg, some site-specific security policies require binaries signed in the manner). The proper way to do this is to update https://github.com/influxdata/code-sign (private repo) to support PE signing (eg, in addition to detached signature, apt InRelease files and rpm signing) and then adjust the InfluxDB CircleCI jobs for 1.x, 2.x and 3.x to send the windows binary to be signed (similar to how we do rpm). Once that is done, it should be trivial to adjust all the different projects to start using this and migrate telegraf to it.
cc @gunnaraasen, @davidby-influx, @srebhan
References:
The text was updated successfully, but these errors were encountered: