Windows build fails to sign the application

[marstamm]

What should we do?

Update our Certificates we use to sign the application during the build process. The windows certs expired on Apr 11.

cf. https://github.com/camunda/camunda-modeler/actions/runs/8681071392

• Migrate https://github.com/camunda/camunda-modeler/blob/develop/.github/workflows/BUILD_ON_DEMAND.yml
• Migrate https://github.com/camunda/camunda-modeler/blob/develop/.github/workflows/RELEASE.yml
• Migrate https://github.com/camunda/camunda-modeler/blob/develop/.github/workflows/NIGHTLY.yml

Why should we do it?

To ensure we can release the camunda modeler on windows

[nikku]

As part of this change we want to migrate the certificate handling over to vault (cf. https://github.com/bpmn-io/internal-docs/issues/802).

[nikku]

Reached out to internally (IT) for further investigation.

[nikku]

Shared updated certificate with @marstamm; you should now be unblocked to work on this issue.

[nikku]

Cross-posting my assessment (yesterday) here:

Status update (quick check with Tim):

There is new restrictions to work with code signing certificates, effectively enabled with June 1, 2023
Code signing can only happen via dedicated signing APIs (similar to MacOS notarization) > and/or via hardware tokens

• We ordered a hardware token which is not usable for our cases (CI/CD-based code signing)
• We need to investigate (ref) how to do signing on our CI using the newly enforced restrictions

Let's look into the linked material as well as the electron builder docs to figure out what we need to change.
At the moment I see the next release slightly at risk, but then again it is just a minor we can skip or postpone (for Windows).

[marstamm]

Summary update from internal Slack:

• The main problem we are facing is the increased security standards for storing the private keys. We will move to a cloud based certificate provider (DigiCert) and kicked of the purchasing process
• Until then and as fallback, signing is a manual step using the hardware token on a local machine

[marstamm]

[Update] We disabled Code signing on Windows for now. @philippfromme has the physical token for backup signing. DigiCert purchase is still in progress

[barmac]

I just asked @KerstinHebel for update on https://helpdesk.camunda.com/support/tickets/14320. What is the status of "DigiCert purchase"? I know that we are forced right now to use a hardware key, but I believe it's unhealthy to require from @philippfromme signing the executable.