docs: add note on how to rotate client secret for windows code signing (#6900)

Moved the code signing to our US-based Azure account (firezoneprod.onmicrosoft.com) --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com> Co-authored-by: Brian Manifold <bmanifold@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2026-01-27 10:18:54 +00:00 · 2024-10-02 10:35:40 -07:00
parent 9bee6860d0
commit 8e326d24bb
2 changed files with 32 additions and 0 deletions
--- a/.github/README_CI.md
+++ b/.github/README_CI.md
@@ -1,5 +1,11 @@
 # CI Tips and Tricks

+## Rotating signing secrets
+
+- Apple: see [../swift/apple/README.md](../swift/apple/README.md)
+- Android: see [../kotlin/android/README.md](../kotlin/android/README.md)
+- Windows: see [../rust/gui-client/README.md](../rust/gui-client/README.md)
+
 ## Batch-deleting workflow runs

 Manually disable the workflows to be cleaned up, then run this:
--- a/rust/gui-client/README.md
+++ b/rust/gui-client/README.md
@@ -49,6 +49,32 @@ stat ../target/release/Firezone.exe
 stat ../target/release/bundle/msi/Firezone_0.0.0_x64_en-US.msi
 ```

+## Signing the Windows MSI in GitHub CI
+
+The MSI is signed in GitHub CI using the `firezone/firezone` repository's
+secrets. This was originally set up using these guides for inspiration:
+
+- https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
+- https://support.globalsign.com/code-signing/code-signing-using-azure-key-vault
+
+Renewing / issuing a new code signing certificate and associated Azure entities is outside the scope of this section. Use the guides above if this needs to be done.
+
+Instead, you'll most likely simply need to rotate the Azure `CodeSigning` Application's client secret.
+
+To do so, login to [the Azure portal](https://portal.azure.com) using your `@firezoneprod.onmicrosoft.com` account.
+Try to access it via the following [deep-link](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Credentials/appId/51da0daa-39dd-4890-9018-e02609efc9c8).
+If that doesn't work:
+
+
+
+- Go to the `Microsoft Entra ID` service
+- Click on `App Registrations`
+- Make sure the tab `All applications` is selected
+- Find and navigate to the `CodeSigning` app registration
+- Client on `client credentials`
+- Click `New client secret`
+- Note down the secret value. This should be entered into the GitHub repository's secrets as `AZURE_CLIENT_SECRET`.
+
 ## Running

 From this dir: