mirror of
git://git.gnupg.org/gnupg.git
synced 2025-05-14 08:13:25 +02:00
speedo: Require the use of an installed gpg-authcode-sign.sh
* build-aux/speedo.mk: Change to use the external sign script.
This commit is contained in:
Werner Koch
parent
4491058772
commit
9e9b762108
@ -43,47 +43,7 @@
|
||||
#
|
||||
# The information reyured to sign the tarballs and binaries
|
||||
# are expected in the developer specific file ~/.gnupg-autogen.rc".
|
||||
# Here is an example:
|
||||
#--8<---------------cut here---------------start------------->8---
|
||||
# # Location of the released tarball archives. Note that this is an
|
||||
# # internal archive and before uploading this to the public server,
|
||||
# # manual tests should be run and the git release tagged and pushed.
|
||||
# # This is greped by the Makefile.
|
||||
# RELEASE_ARCHIVE=foo@somehost:tarball-archive
|
||||
#
|
||||
# # The key used to sign the released sources.
|
||||
# # This is greped by the Makefile.
|
||||
# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
|
||||
#
|
||||
# # For signing Windows binaries we need to employ a Windows machine.
|
||||
# # We connect to this machine via ssh and take the connection
|
||||
# # parameters via .ssh/config. For example a VM could be specified
|
||||
# # like this:
|
||||
# #
|
||||
# # Host authenticode-signhost
|
||||
# # HostName localhost
|
||||
# # Port 27042
|
||||
# # User gpgsign
|
||||
# #
|
||||
# # Depending on the used token it might be necessary to allow single
|
||||
# # signon and unlock the token before running the make. The following
|
||||
# # variable references this entry. This is greped by the Makefile.
|
||||
# AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||
#
|
||||
# # The name of the signtool as used on Windows.
|
||||
# # This is greped by the Makefile.
|
||||
# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
|
||||
#
|
||||
# # To use osslsigncode the follwing entries are required and
|
||||
# # an empty string must be given for AUTHENTICODE_SIGNHOST.
|
||||
# # They are greped by the Makefile.
|
||||
# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
|
||||
# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
|
||||
#
|
||||
# If a tarball has not been published while building a release it
|
||||
# may be stored in a directory specified by:
|
||||
# OVERRIDE_TARBALLS=/home/foo/override-tarballs
|
||||
#--8<---------------cut here---------------end--------------->8---
|
||||
# Use "gpg-authcode-sign.sh --template" to create a template.
|
||||
|
||||
|
||||
# We need to know our own name.
|
||||
@ -245,13 +205,6 @@ WIXPREFIX=$(shell readlink -f ~/w32root/wixtools)
|
||||
define READ_AUTOGEN_template
|
||||
$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
|
||||
endef
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
|
||||
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
|
||||
$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
|
||||
$(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE))
|
||||
$(eval $(call READ_AUTOGEN_template,SCUTEMODULE))
|
||||
$(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS))
|
||||
|
||||
# All files given in AUTHENTICODE_FILES are signed before
|
||||
@ -1450,35 +1403,13 @@ endef
|
||||
|
||||
# Sign the file $1 and save the result as $2
|
||||
define AUTHENTICODE_sign
|
||||
set -e;\
|
||||
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
||||
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
||||
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
||||
ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
|
||||
/a /n '"g10 Code GmbH"' \
|
||||
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
||||
/fd sha256 /du https://gnupg.org a.exe ;\
|
||||
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
|
||||
echo "speedo: signed file is '$(2)'" ;\
|
||||
elif [ "$(AUTHENTICODE_KEY)" = card ]; then \
|
||||
echo "speedo: Signing using a card";\
|
||||
$(OSSLSIGNCODE) sign \
|
||||
-pkcs11engine $(OSSLPKCS11ENGINE) \
|
||||
-pkcs11module $(SCUTEMODULE) \
|
||||
-certs $(AUTHENTICODE_CERTS) \
|
||||
-h sha256 -n GnuPG -i https://gnupg.org \
|
||||
-ts http://rfc3161timestamp.globalsign.com/advanced \
|
||||
-in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
|
||||
elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
|
||||
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
|
||||
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
|
||||
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
|
||||
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
|
||||
-h sha256 -n GnuPG -i https://gnupg.org \
|
||||
-in $(1) -out $(2) ;\
|
||||
(set -e; \
|
||||
if (gpg-authcode-sign.sh --version >/dev/null); then \
|
||||
gpg-authcode-sign.sh "$(1)" "$(2)"; \
|
||||
else \
|
||||
echo "speedo: WARNING: Binaries are not signed"; \
|
||||
fi
|
||||
echo 2>&1 "warning: Please install gpg-authcode-sign.sh to sign files." ;\
|
||||
[ "$(1)" != "$(2)" ] && cp "$(1)" "$(2)" ;\
|
||||
fi)
|
||||
endef
|
||||
|
||||
# Help target for testing to sign a file.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user