-
Notifications
You must be signed in to change notification settings - Fork 814
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a non rate limited timestamp server to accelerate Windows builds #1229
Comments
Link to discussion on Mattermost: |
The code certificates we use have been bought at GoDaddy. Their TSA server ( In the code, we are using GoDaddy is not providing instructions about how to use and get rid of their TSA rate limit. I phoned GoDaddy and they are refusing to give additional instructions if we cannot show we have 1) a code signing certificate bought at GoDaddy 2) prove ownership of the account (PIN code in the web ui interface). :/ I even tried by impersonating me as a new client, just to see and the answer has been the same :( |
We can potentially move to CloudHSM with AWS: |
Hi @jaydeland
Except that with the instructions, I don't see any call to a Time Stamping Authority (TSA). We can see that the I don't see any mention of Amazon being a TSA authority. :/ |
Sorry - forgot to link this doc: https://aws.amazon.com/blogs/security/signing-executables-with-microsoft-signtool-exe-using-aws-cloudhsm-backed-certificates/ |
So to summarize, it seems there are only two TSA authorities in the world:
Since everyone seems to be using Digicert, that's maybe for a reason ;) |
Maybe this will help maybe it won't: |
Just got confirmation from @cloph via @ArnaudVERSINI, the LibreOffice project seems to use this provider for code signing certificates (noticeably cheaper). And as for the timestamping server being used, it is not Digicert but Certum own TSA server (http://time.certum.pl/): |
Created a JIRA ticket to look at this: https://mattermost.atlassian.net/browse/MM-40570 |
You can give my load balancer a go. This should slightly be faster in theory as there's more CAs used:
Or, if you want to limit yourself to only Digicert, Sectigo, GlobalSign, and Entrust (which almost everyone accepts these CAs), use this URL:
|
Summary
Creating Windows builds is taking way too much time because there is a 15 seconds sleep delay each time a file needs to be signed.
This is due to the fact the public timestamp server we use is being rate limited.
https://github.com/mattermost/desktop/blob/master/scripts/Makefile.ps1#L316
Hopefully, it appears there are servers which are not rate limited. @metanerd has created an infra team ticket in order to get access to a non rate limited server (need authentication which may need to be a paid authentication) which will decrease the build process time.
Environment
Steps to reproduce
Try to build a signed version of Mattermost
Expected behavior
A faster build
Observed behavior
A slow build
Possible fixes
Switch to a non rate limited timestamp server
https://github.com/mattermost/desktop/blob/master/scripts/Makefile.ps1#L316
The text was updated successfully, but these errors were encountered: