1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

build: Sign all Windows binaries.

* build-aux/speedo.mk (AUTHENTICODE_SIGNHOST): New.
(AUTHENTICODE_TOOL): New.
(AUTHENTICODE_FILES): New.
(installer): Sign listed files.
(AUTHENTICODE_SIGNHOST): New macro.
(sign-installer): Use that macro instead of direct use of osslsigncode.
--

This also adds code to support signing via a Token.  Because there is
no specification of that token, I was not able to write a free driver
for it.  Thus we resort to use a running Windows-10 instance with an
enabled ssh server to do the code signing.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e6901c2bc802996c24335bcb35012ccb74b4ced0)
This commit is contained in:
Werner Koch 2019-05-09 13:39:34 +02:00 committed by Andre Heinecke
parent 100642e776
commit 4964691861

View File

@ -157,9 +157,41 @@ INST_NAME=gnupg-w32
# Use this to override the installaion directory for native builds. # Use this to override the installaion directory for native builds.
INSTALL_PREFIX=none INSTALL_PREFIX=none
# The Authenticode key and cert chain used to sign the Windows installer # The Authenticode key and cert chain used to sign the Windows
# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
# that host using the Windows signtool. The signhost is usually an
# entry in .ssh/config. Depending on the used token it might be
# necessary to allow single signon and unlock the token before running
# this makefile. All files given in AUTHENTICODE_FILES are signed
# before they are put into the installer.
AUTHENTICODE_SIGNHOST=authenticode-signhost
AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12 AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
AUTHENTICODE_FILES= \
dirmngr.exe \
dirmngr_ldap.exe \
gpg-agent.exe \
gpg-connect-agent.exe \
gpg-preset-passphrase.exe \
gpg-wks-client.exe \
gpg.exe \
gpgconf.exe \
gpgme-w32spawn.exe \
gpgsm.exe \
gpgtar.exe \
gpgv.exe \
libassuan-0.dll \
libgcrypt-20.dll \
libgpg-error-0.dll \
libgpgme-11.dll \
libksba-8.dll \
libnpth-0.dll \
libsqlite3-0.dll \
pinentry-w32.exe \
scdaemon.exe \
zlib1.dll
# Directory names. # Directory names.
@ -1211,7 +1243,22 @@ ifeq ($(WITH_GUI),1)
extra_installer_options += -DWITH_GUI=1 extra_installer_options += -DWITH_GUI=1
endif endif
# Note that we sign only when doing the final installer.
installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
(set -e;\
cd "$(idir)"; \
if echo "$(idir)" | grep -q '/PLAY-release/' ; then \
for f in $(AUTHENTICODE_FILES); do \
if [ -f "bin/$$f" ]; then \
$(call AUTHENTICODE_sign,"bin/$$f","bin/$$f");\
elif [ -f "libexec/$$f" ]; then \
$(call AUTHENTICODE_sign,"libexec/$$f","libexec/$$f");\
else \
echo "speedo: WARNING: file '$$f' not available for signing";\
fi;\
done; \
fi \
)
(nsis3_args=$$(makensis -version | grep -q "^v3" && \ (nsis3_args=$$(makensis -version | grep -q "^v3" && \
echo "-INPUTCHARSET CP1252"); \ echo "-INPUTCHARSET CP1252"); \
$(MAKENSIS) -V2 $$nsis3_args \ $(MAKENSIS) -V2 $$nsis3_args \
@ -1239,6 +1286,28 @@ define MKSWDB_commands
) | tee $(1).swdb ) | tee $(1).swdb
endef endef
# Sign the file $1 and save the result as $2
define AUTHENTICODE_sign
set -e;\
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
/n '"g10 Code GmbH"' \
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
/fd sha256 /du https://gnupg.org a.exe ;\
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
echo "speedo: signed file is '$(2)'" ;\
else \
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
-h sha256 -n GnuPG -i https://gnupg.org \
-in $(1) -out $(2) ;\
fi
endef
# Build the installer from the source tarball. # Build the installer from the source tarball.
installer-from-source: dist-source installer-from-source: dist-source
@ -1267,13 +1336,8 @@ sign-installer:
exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\ exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
echo "speedo: /*" ;\ echo "speedo: /*" ;\
echo "speedo: * Signing installer" ;\ echo "speedo: * Signing installer" ;\
echo "speedo: * Key: $(AUTHENTICODE_KEY)";\
echo "speedo: */" ;\ echo "speedo: */" ;\
osslsigncode sign -certs $(AUTHENTICODE_CERTS)\ $(call AUTHENTICODE_sign,"PLAY/inst/$$exefile","../../$$exefile");\
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
-h sha256 -n GnuPG -i https://gnupg.org \
-in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
exefile="../../$$exefile" ;\ exefile="../../$$exefile" ;\
$(call MKSWDB_commands,$${exefile},$${reldate}); \ $(call MKSWDB_commands,$${exefile},$${reldate}); \
echo "speedo: /*" ;\ echo "speedo: /*" ;\