2 Update windows certificate for AppVeyor

Matthieu Gautier edited this page 2022-08-31 11:06:51 +02:00

Table of Contents

• About this page
• How to
• Encode the certificate
• Update secret
• Upload the new certificate

About this page

Kiwix-build is responsible to build kiwix-desktop for Windows using the Appveyor CI.

kiwix-desktop is signed and the certificate used is limited in time, it have to be renewed every year. This wiki page explains how to encrypt and upload the certificate for the CI. How the certificate is renewed is not explained here.

How to

What do you need :

• The pfx certificate (called kiwix.pfx) and the password to use it (come from how you have renewed the certificate). The password will be called <certificate_pwd>
• openssl (from your distribution package manager)
• The password use to encode/decode the pfx certificate (ask the team). It will called <secret_pwd>.

Encode the certificate

Run openssl enc -pbkdf2 -aes-256-cbc -md sha256 -pass pass:<secret_pwd> -in kiwix.pfx -out kiwix.pfx.enc

Move kiwix.pfx.enc in the appveyor directory of this repository (in place of existing one)

Update secret

Go on appveyor project settings, environment section.

Update win_certificate_password with <certificate_pwd>.
Update win_certificate_secret with <secret_pwd>.

Be sure to keep the environment variables secret !

Upload the new certificate

Create a commit for this certificate change (kiwix.pfx.enc) and create a PR for this.

Attention ! Be carefull to NOT (and never) add kiwix.pfx to git !!
If you do so, the best thing to do is to revoke the certificate and regenerate a new one.

Wait for the (AppVeyor) CI to pass and your good to merge.

Done !