mirror of git://git.gnupg.org/gnupg.git
Werner Koch
parent
fc1a185755
commit
4699911f04
37
Makefile.am
37
Makefile.am
|
|
@ -18,14 +18,13 @@
|
|||
|
||||
## Process this file with automake to produce Makefile.in
|
||||
|
||||
# Location of the released tarball archives. Note that this is an
|
||||
# internal archive and before uploading this to the public server,
|
||||
# manual tests should be run and the git release tag set and pushed.
|
||||
# Adjust as needed.
|
||||
RELEASE_ARCHIVE_DIR = wk@vigenere:tarballs/gnupg/v2.2
|
||||
|
||||
# The key used to sign the released sources. Adjust as needed.
|
||||
RELEASE_SIGNING_KEY = D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
||||
# Location of the released tarball archives. This is prefixed by
|
||||
# the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc. For example:
|
||||
# RELEASE_ARCHIVE=user@host:archive/tarballs
|
||||
RELEASE_ARCHIVE_SUFFIX = gnupg/v2.3
|
||||
# The variable RELEASE_SIGNKEY in ~/.gnupg-autogen.rc is used
|
||||
# to specify the key for signing. For example:
|
||||
# RELEASE_SIGNKEY=D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
||||
|
||||
|
||||
# Autoconf flags.
|
||||
|
|
@ -203,6 +202,18 @@ release:
|
|||
sign-release:
|
||||
+(set -e; \
|
||||
cd dist; \
|
||||
x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
|
||||
if [ -z "$$x" ]; then \
|
||||
echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
|
||||
exit 2;\
|
||||
fi;\
|
||||
myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
|
||||
x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
|
||||
if [ -z "$$x" ]; then \
|
||||
echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
|
||||
exit 2;\
|
||||
fi;\
|
||||
mysignkey="$$x";\
|
||||
release_w32_name="$(RELEASE_W32_STEM_NAME)_$$(date -u +%Y%m%d)" ;\
|
||||
files1="$(RELEASE_NAME).tar.bz2 \
|
||||
$${release_w32_name}.tar.xz \
|
||||
|
|
@ -215,11 +226,11 @@ sign-release:
|
|||
$${release_w32_name}.exe.swdb" ;\
|
||||
$(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-sign-installer ;\
|
||||
echo "/* Signing the source tarball ..." ;\
|
||||
gpg -sbu $(RELEASE_SIGNING_KEY) $(RELEASE_NAME).tar.bz2 ;\
|
||||
gpg -sbu $$mysignkey $(RELEASE_NAME).tar.bz2 ;\
|
||||
echo "/* Signing the W32 source tarball ..." ;\
|
||||
gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.tar.xz ;\
|
||||
gpg -sbu $$mysignkey $${release_w32_name}.tar.xz ;\
|
||||
echo "/* Signing the W32 installer ..." ;\
|
||||
gpg -sbu $(RELEASE_SIGNING_KEY) $${release_w32_name}.exe ;\
|
||||
gpg -sbu $$mysignkey $${release_w32_name}.exe ;\
|
||||
cat $(RELEASE_NAME).swdb >swdb.snippet;\
|
||||
echo '#+macro: gnupg22_branch STABLE-BRANCH-2-2' >>swdb.snippet;\
|
||||
cat $${release_w32_name}.exe.swdb >>swdb.snippet;\
|
||||
|
|
@ -227,8 +238,8 @@ sign-release:
|
|||
sha1sum $${files1} >>swdb.snippet ;\
|
||||
cat "../$(RELEASE_NAME).buildlog" swdb.snippet \
|
||||
| gzip >$(RELEASE_NAME).buildlog ;\
|
||||
echo "Release created - copying it to the local archive ..." ;\
|
||||
scp -p $${files1} $${files2} $(RELEASE_ARCHIVE_DIR)/ || true;\
|
||||
echo "Release created - copying it to the archive ..." ;\
|
||||
scp -p $${files1} $${files2} $$myarchive/ || true;\
|
||||
echo '/*' ;\
|
||||
echo ' * All done; for checksums see dist/swdb.snippet' ;\
|
||||
echo ' */' ;\
|
||||
|
|
|
|||
|
|
@ -41,6 +41,47 @@
|
|||
#
|
||||
# Lists packages and versions.
|
||||
#
|
||||
# The information reyured to sign the tarballs and binaries
|
||||
# are expected in the developer specific file ~/.gnupg-autogen.rc".
|
||||
# Here is an example:
|
||||
#--8<---------------cut here---------------start------------->8---
|
||||
# # Location of the released tarball archives. Note that this is an
|
||||
# # internal archive and before uploading this to the public server,
|
||||
# # manual tests should be run and the git release tagged and pushed.
|
||||
# # This is greped by the Makefile.
|
||||
# RELEASE_ARCHIVE=foo@somehost:tarball-archive
|
||||
#
|
||||
# # The key used to sign the released sources.
|
||||
# # This is greped by the Makefile.
|
||||
# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
|
||||
#
|
||||
# # For signing Windows binaries we need to employ a Windows machine.
|
||||
# # We connect to this machine via ssh and take the connection
|
||||
# # parameters via .ssh/config. For example a VM could be specified
|
||||
# # like this:
|
||||
# #
|
||||
# # Host authenticode-signhost
|
||||
# # HostName localhost
|
||||
# # Port 27042
|
||||
# # User gpgsign
|
||||
# #
|
||||
# # Depending on the used token it might be necessary to allow single
|
||||
# # signon and unlock the token before running the make. The following
|
||||
# # variable references this entry. This is greped by the Makefile.
|
||||
# AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||
#
|
||||
# # The name of the signtool as used on Windows.
|
||||
# # This is greped by the Makefile.
|
||||
# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
|
||||
#
|
||||
# # To use osslsigncode the follwing entries are required and
|
||||
# # an empty string must be given for AUTHENTICODE_SIGNHOST.
|
||||
# # They are greped by the Makefile.
|
||||
# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
|
||||
# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
|
||||
#
|
||||
#--8<---------------cut here---------------end--------------->8---
|
||||
|
||||
|
||||
# We need to know our own name.
|
||||
SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
|
||||
|
|
@ -172,17 +213,17 @@ INSTALL_PREFIX=none
|
|||
# Set this to the location of wixtools
|
||||
WIXPREFIX=
|
||||
|
||||
# The Authenticode key and cert chain used to sign the Windows
|
||||
# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
|
||||
# that host using the Windows signtool. The signhost is usually an
|
||||
# entry in .ssh/config. Depending on the used token it might be
|
||||
# necessary to allow single signon and unlock the token before running
|
||||
# this makefile. All files given in AUTHENTICODE_FILES are signed
|
||||
# before they are put into the installer.
|
||||
AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||
AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
|
||||
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
|
||||
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
|
||||
# Read signing information from ~/.gnupg-autogen.rc
|
||||
define READ_AUTOGEN_template
|
||||
$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
|
||||
endef
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
|
||||
|
||||
# All files given in AUTHENTICODE_FILES are signed before
|
||||
# they are put into the installer.
|
||||
AUTHENTICODE_FILES= \
|
||||
dirmngr.exe \
|
||||
dirmngr_ldap.exe \
|
||||
|
|
@ -1362,7 +1403,7 @@ define AUTHENTICODE_sign
|
|||
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
||||
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
||||
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
||||
ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
|
||||
ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
|
||||
/n '"g10 Code GmbH"' \
|
||||
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
||||
/fd sha256 /du https://gnupg.org a.exe ;\
|
||||
|
|
|
|||
Loading…
Reference in New Issue