* TUN-9863: Introduce Code Signing for Windows Builds
This commit adds a signing step to the build script for windows binaries.
Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages.
To do so, we use azuresigntool which relies on a certificate stored in Azure Vault.
Closes TUN-9863
* chore: Update cloudflared signing key name in index.html
We want to preserve the old key name so that we don't have to update the dev docs.
We will have the same key under this name and the v2 name to account for everyone who has already updated.
* Fix systemd service installation hanging
---
This kills the hanging when there is a network issue (port blocking or no Internet) and the installation cannot be completed with no error sent to the output.
Before (killed manually since it hangs forever):
{width=817 height=69}
After:
{width=825 height=78}
---
* TUN-9919: Make RPM postinstall scriplet idempotent
Before this commit the postinstall scriptlet isn't idempotent, meaning the users see this error in their upgrade logs:
`ln: failed to create symbolic link '/usr/local/bin/cloudflared': File exists
warning: %post(cloudflared-2025.10.0-1.x86_64) scriptlet failed, exit status 1`
This doesn't break the upgrade (which is why we haven't touched this in 5 years), but adding the -f (force) flag to the symlink command prevents this issue from happening
Closes TUN-9919
* chore: Fix upload of RPM repo file during double signing
This commit fixes a variable that was supposed to hold the path of the repo file, but instead was being overwritten with the repo file handle
* chore: Fix import of GPG keys when two keys are provided
We were only retrieving the first output of gpg.list keys because previously we were only running import_gpg_keys once. Now that we run it twice we need to ensure that the key we select from the list matches the one we've imported.
Adds new metrics for:
- Dropped UDP datagrams for reads and write paths
- Dropped ICMP packets for write paths
- Failures that preemptively close UDP flows
Closes TUN-9882
Add a deadline for origin writes as a preventative measure in the case that the kernel blocks any writes for too long.
In the case that the socket exceeds the write deadline, the datagram will be dropped.
Closes TUN-9882
Instead of creating a go routine to process each incoming datagram from the tunnel, a single consumer (the demuxer) will
process each of the datagrams in serial.
Registration datagrams will still be spun out into separate go routines since they are responsible for managing the
lifetime of the session once started via the `Serve` method.
UDP payload datagrams will be handled in separate channels to allow for parallel writing inside of the scope of a
session via a new write loop. This channel will have a small buffer to help unblock the demuxer from dequeueing other
datagrams.
ICMP datagrams will be funneled into a single channel across all possible origins with a single consumer to write to
their respective destinations.
Each of these changes is to prevent datagram reordering from occurring when dequeuing from the tunnel connection. By
establishing a single demuxer that serializes the writes per session, each session will be able to write sequentially,
but in parallel to their respective origins.
Closes TUN-9882
* TUN-9776: Support signing Debian packages with two keys for rollover
Debian Trixie doesn't support the SHA-1 algo for GPG keys.
This commit leverages the ability of providing two keys in the reprepro configuration in order to have two signatures in InRelease and Release.gpg files.
This allows users that have the old key to continue fetching the binaries with the old key while allowing us to provide a new key that can be used in Trixie.
Unfortunately current versions of RPM (since 2002) don't support double signing, so we can't apply the same logic for RPM
Closes TUN-9776
Areg Vrtanesyan
João "Pisco" Fernandes
GoncaloGarcia
Chung-Ting
Luis Neto
Christopher Meng
Devin Carr
João Oliveirinha
Areg Vrtanesyan