From 83e2dede0a49b048c4aab9e5a2016144a8031763 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 25 Apr 2024 11:19:25 +0200 Subject: [PATCH] speedo: Use gpg-authcode-sign.sh and change archive label to v2.5. -- --- Makefile.am | 2 +- build-aux/speedo.mk | 95 ++++----------------------------------------- tools/Makefile.am | 2 +- 3 files changed, 9 insertions(+), 90 deletions(-) diff --git a/Makefile.am b/Makefile.am index 1b6933484..b6b8a8e9e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,7 +24,7 @@ WITH_MSI=1 # Location of the released tarball archives. This is prefixed by # the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc. For example: # RELEASE_ARCHIVE=user@host:archive/tarballs -RELEASE_ARCHIVE_SUFFIX = gnupg/v2.4 +RELEASE_ARCHIVE_SUFFIX = gnupg/v2.5 # The variable RELEASE_SIGNKEY in ~/.gnupg-autogen.rc is used # to specify the key for signing. For example: # RELEASE_SIGNKEY=D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 8946c764c..3f515306b 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -43,58 +43,7 @@ # # The information required to sign the tarballs and binaries # are expected in the developer specific file ~/.gnupg-autogen.rc". -# Here is an example: -#--8<---------------cut here---------------start------------->8--- -# # Location of the released tarball archives. Note that this is an -# # internal archive and before uploading this to the public server, -# # manual tests should be run and the git release tagged and pushed. -# # This is greped by the Makefile. -# RELEASE_ARCHIVE=foo@somehost:tarball-archive -# -# # The key used to sign the GnuPG sources. -# # This is greped by the Makefile. -# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA -# -# # The key used to sign the VERSION files of some MSI installers. -# VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208 -# -# # For signing Windows binaries we need to employ a Windows machine. -# # We connect to this machine via ssh and take the connection -# # parameters via .ssh/config. For example a VM could be specified -# # like this: -# # -# # Host authenticode-signhost -# # HostName localhost -# # Port 27042 -# # User gpgsign -# # -# # Depending on the used token it might be necessary to allow single -# # signon and unlock the token before running the make. The following -# # variable references this entry. This is greped by the Makefile. -# AUTHENTICODE_SIGNHOST=authenticode-signhost -# -# # The name of the signtool as used on Windows. -# # This is greped by the Makefile. -# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" -# -# # The URL for the timestamping service -# AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced -# -# # To use osslsigncode the follwing entries are required and -# # an empty string must be given for AUTHENTICODE_SIGNHOST. -# # They are greped by the Makefile. -# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12 -# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem -# -# # If a smartcard is used for the Authenticode signature these -# # entries are required instead: -# AUTHENTICODE_KEY=card -# AUTHENTICODE_CERTS=/home/foo/.gnupg/my_authenticode_cert.pem -# OSSLSIGNCODE=/usr/bin/osslsigncode -# OSSLPKCS11ENGINE=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -# SCUTEMODULE=/usr/local/lib/scute.so -# -#--8<---------------cut here---------------end--------------->8--- +# Use "gpg-authcode-sign.sh --template" to create a template. # We need to know our own name. @@ -246,14 +195,6 @@ PATCHELF := $(shell patchelf --version 2>/dev/null >/dev/null || echo "echo plea define READ_AUTOGEN_template $(1) = $$(shell grep '^[[:blank:]]*$(1)[[:blank:]]*=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs) endef -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TSURL)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS)) -$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE)) -$(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE)) -$(eval $(call READ_AUTOGEN_template,SCUTEMODULE)) $(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS)) @@ -1351,35 +1292,13 @@ endef # Sign the file $1 and save the result as $2 define AUTHENTICODE_sign - set -e;\ - if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \ - echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\ - scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\ - ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \ - /a /n '"g10 Code GmbH"' \ - /tr '$(AUTHENTICODE_TSURL)' /td sha256 \ - /fd sha256 /du https://gnupg.org a.exe ;\ - scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\ - echo "speedo: signed file is '$(2)'" ;\ - elif [ "$(AUTHENTICODE_KEY)" = card ]; then \ - echo "speedo: Signing using a card: '$(1)'";\ - $(OSSLSIGNCODE) sign \ - -pkcs11engine $(OSSLPKCS11ENGINE) \ - -pkcs11module $(SCUTEMODULE) \ - -certs $(AUTHENTICODE_CERTS) \ - -h sha256 -n GnuPG -i https://gnupg.org \ - -ts $(AUTHENTICODE_TSURL) \ - -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \ - elif [ -e "$(AUTHENTICODE_KEY)" ]; then \ - echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\ - osslsigncode sign -certs $(AUTHENTICODE_CERTS) \ - -pkcs12 $(AUTHENTICODE_KEY) -askpass \ - -ts "$(AUTHENTICODE_TSURL)" \ - -h sha256 -n GnuPG -i https://gnupg.org \ - -in $(1) -out $(2) ;\ + (set -e; + if gpg-authcode-sign.sh --version >/dev/null; then \ + gpg-authcode-sign.sh "$(1)" "$(2)"; \ else \ - echo "speedo: WARNING: Binaries are not signed"; \ - fi + echo 2>&1 "warning: Please install gpg-authcode-sign.sh to sign files." ;\ + [ "$(1)" != "$(2)" ] && cp "$(1)" "$(2)" ;\ + fi) endef # Help target for testing to sign a file. diff --git a/tools/Makefile.am b/tools/Makefile.am index 822c42a4f..9321da9e3 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -18,7 +18,7 @@ EXTRA_DIST = \ Manifest watchgnupg.c no-libgcrypt.c \ - addgnupghome applygnupgdefaults \ + addgnupghome applygnupgdefaults gpg-authcode-sign.sh \ lspgpot mail-signed-keys convert-from-106 sockprox.c \ ccidmon.c ChangeLog-2011 \ gpg-connect-agent-w32info.rc gpg-connect-agent.w32-manifest.in \