Code signing custom builds

plans-img-yellow Available on Entry, Professional, Enterprise, and Enterprise Advanced plans

Code signing is an essential process for ensuring the authenticity and integrity of your custom Mattermost builds. This guide provides steps on how to code sign a build using your own certificates for Windows, Mac, and Linux.

Important

Make sure to follow each operating system’s guidelines and best practices for signing applications.

Prerequisites

  1. Code Signing Certificate: Obtain a certificate from a Certificate Authority (CA) or use a self-signed certificate if suitable.

  2. SignTool: Available as part of the Windows SDK.

  1. GPG Key: Create a GPG key if you don’t have one.

  2. GnuPG: Install GnuPG if not already installed.

  1. Developer ID Application Certificate: Obtain from Apple. It requires an Apple Developer account.

  2. Xcode: Ensure Xcode is installed.

Process

  1. Install SignTool: Install the Windows SDK to access the SignTool utility.

  2. Obtain a Code Signing Certificate: Purchase or create a certificate (.pfx file) via a CA.

  3. Import the Certificate: Open the .pfx file and import it into the Windows Certificate Store.

  4. Sign the Executable

    • Open the command prompt as Administrator.

    • Use SignTool to sign your executable:

    signtool sign /v /s "My" /sha1 <cert hash> /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 <path-to-your-executable>

  1. Create or Import Your GPG Key: If you don’t have a GPG key, create one:

    gpg --full-generate-key

    Alternatively, import an existing GPG key, if you have one:

    gpg --import /path/to/your-key.asc

  2. Sign the Package: Use dpkg-sig to sign a Debian package:

    dpkg-sig --sign builder your-package.deb

    Use rpmsign to sign an RPM package:

    rpmsign --addsign your-package.rpm

  3. Verify the Signature: Verify the signature of a .deb package:

    dpkg-sig --verify your-package.deb

    Verify the signature of an .rpm package:

    rpm --checksig your-package.rpm

  1. Obtain a Code Signing Certificate: Create a Developer ID Application certificate in your Apple Developer account and download it.

  2. Import the Certificate: Double-click the certificate to import it into the Keychain.

  3. Sign the Application: Use the codesign tool from Xcode to sign your application:

    codesign --deep --force --verify --verbose --sign "Developer ID Application: Your Name (TeamID)" /path/to/your.app

  4. [Optional] Verify the Signature: Verify the signature to ensure everything is correctly signed:

    spctl --assess --verbose=4 /path/to/your.app
codesign -dv --verbose=4 /path/to/your.app

Summary

  • Windows: Use SignTool from the Windows SDK with your imported code signing certificate.

  • Mac: Use codesign and spctl tools from Xcode with your Apple Developer ID certificate.

  • Linux: Use GnuPG to create/sign with your GPG key, dpkg-sig for .deb packages, and rpmsign for .rpm packages.