security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-05-14 08:13:25 +02:00
Code Activity

speedo: Require the use of an installed gpg-authcode-sign.sh

Browse Source 
* build-aux/speedo.mk: Change to use the external sign script.
This commit is contained in:
Werner Koch 2025-04-02 12:10:08 +02:00
parent 4491058772
commit 9e9b762108
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 7 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
build-aux/speedo.mk
View File

@ -43,47 +43,7 @@
# #
# The information reyured to sign the tarballs and binaries # The information reyured to sign the tarballs and binaries
# are expected in the developer specific file ~/.gnupg-autogen.rc". # are expected in the developer specific file ~/.gnupg-autogen.rc".
# Here is an example: # Use "gpg-authcode-sign.sh --template" to create a template.
#--8<---------------cut here---------------start------------->8---
# # Location of the released tarball archives. Note that this is an
# # internal archive and before uploading this to the public server,
# # manual tests should be run and the git release tagged and pushed.
# # This is greped by the Makefile.
# RELEASE_ARCHIVE=foo@somehost:tarball-archive
#
# # The key used to sign the released sources.
# # This is greped by the Makefile.
# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
#
# # For signing Windows binaries we need to employ a Windows machine.
# # We connect to this machine via ssh and take the connection
# # parameters via .ssh/config. For example a VM could be specified
# # like this:
# #
# # Host authenticode-signhost
# # HostName localhost
# # Port 27042
# # User gpgsign
# #
# # Depending on the used token it might be necessary to allow single
# # signon and unlock the token before running the make. The following
# # variable references this entry. This is greped by the Makefile.
# AUTHENTICODE_SIGNHOST=authenticode-signhost
#
# # The name of the signtool as used on Windows.
# # This is greped by the Makefile.
# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
#
# # To use osslsigncode the follwing entries are required and
# # an empty string must be given for AUTHENTICODE_SIGNHOST.
# # They are greped by the Makefile.
# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
#
# If a tarball has not been published while building a release it
# may be stored in a directory specified by:
# OVERRIDE_TARBALLS=/home/foo/override-tarballs
#--8<---------------cut here---------------end--------------->8---
# We need to know our own name. # We need to know our own name.
@ -245,13 +205,6 @@ WIXPREFIX=$(shell readlink -f ~/w32root/wixtools)
define READ_AUTOGEN_template define READ_AUTOGEN_template
$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2) $(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
endef endef
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
$(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE))
$(eval $(call READ_AUTOGEN_template,SCUTEMODULE))
$(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS)) $(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS))
# All files given in AUTHENTICODE_FILES are signed before # All files given in AUTHENTICODE_FILES are signed before
@ -1450,35 +1403,13 @@ endef
# Sign the file $1 and save the result as $2 # Sign the file $1 and save the result as $2
define AUTHENTICODE_sign define AUTHENTICODE_sign
set -e;\ (set -e; \
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \ if (gpg-authcode-sign.sh --version >/dev/null); then \
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\ gpg-authcode-sign.sh "$(1)" "$(2)"; \
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
/a /n '"g10 Code GmbH"' \
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
/fd sha256 /du https://gnupg.org a.exe ;\
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
echo "speedo: signed file is '$(2)'" ;\
elif [ "$(AUTHENTICODE_KEY)" = card ]; then \
echo "speedo: Signing using a card";\
$(OSSLSIGNCODE) sign \
-pkcs11engine $(OSSLPKCS11ENGINE) \
-pkcs11module $(SCUTEMODULE) \
-certs $(AUTHENTICODE_CERTS) \
-h sha256 -n GnuPG -i https://gnupg.org \
-ts http://rfc3161timestamp.globalsign.com/advanced \
-in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
-h sha256 -n GnuPG -i https://gnupg.org \
-in $(1) -out $(2) ;\
else \ else \
echo "speedo: WARNING: Binaries are not signed"; \ echo 2>&1 "warning: Please install gpg-authcode-sign.sh to sign files." ;\
fi [ "$(1)" != "$(2)" ] && cp "$(1)" "$(2)" ;\
fi)
endef endef
# Help target for testing to sign a file. # Help target for testing to sign a file.