Skip to content

Commit 883f800

Browse files
authored
Merge pull request #352 from switchifyapp/docs/release-preflight-351
Clarify release signing preflight
2 parents 70a5db1 + 58d14f5 commit 883f800

1 file changed

Lines changed: 3 additions & 17 deletions

File tree

AGENTS.md

Lines changed: 3 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -118,8 +118,7 @@ Before creating or pushing a release tag, the maintainer or agent must verify al
118118
- The release issue and release PR are assigned to milestone `Release X.Y.Z`.
119119
- The milestone `Release X.Y.Z` exists and has no unrelated open issues.
120120
- The self-hosted runner with label `switchify-signing` is online and not busy.
121-
- The Certum signing certificate thumbprint is available out-of-band or through the configured repository variable.
122-
- The matching certificate exists in `Cert:\CurrentUser\My`, has a private key, and SimplySign is logged in.
121+
- The production signing configuration is available to the release workflow.
123122

124123
Use commands like these for preflight checks. Do not print, document, or commit the real certificate thumbprint.
125124

@@ -145,19 +144,6 @@ $runner = (gh api repos/switchifyapp/switchify-pc/actions/runners | ConvertFrom-
145144
if (-not $runner -or $runner.status -ne 'online' -or $runner.busy) {
146145
throw 'The switchify-signing runner is not ready.'
147146
}
148-
149-
$thumbprint = $env:SWITCHIFY_CERTUM_CERT_THUMBPRINT -replace '[^a-fA-F0-9]', ''
150-
if (-not $thumbprint) {
151-
throw 'SWITCHIFY_CERTUM_CERT_THUMBPRINT is not set in this shell. Do not hard-code it.'
152-
}
153-
154-
$cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert |
155-
Where-Object { $_.Thumbprint -eq $thumbprint } |
156-
Select-Object -First 1
157-
158-
if (-not $cert -or -not $cert.HasPrivateKey) {
159-
throw 'The Certum signing certificate is missing or has no private key.'
160-
}
161147
```
162148

163149
When preparing the next milestone, verify first and create only if missing:
@@ -172,7 +158,7 @@ if (-not $existing) {
172158
}
173159
```
174160

175-
If the thumbprint is available only as a GitHub repository variable, the maintainer may verify that the variable exists without printing its value, then verify the local certificate with the thumbprint supplied privately.
161+
The release workflow verifies the configured Certum signing certificate on the signing runner before packaging production installers.
176162

177163
The release workflow:
178164

@@ -217,7 +203,7 @@ Do not tag if:
217203
- The C# app project `<Version>` does not match the intended tag.
218204
- The release issue or PR milestone does not match `Release X.Y.Z`.
219205
- The signing runner is offline or busy.
220-
- The Certum certificate cannot be verified locally.
206+
- The production signing configuration is not available to the release workflow.
221207

222208
After the release workflow succeeds:
223209

0 commit comments

Comments
 (0)