mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
build: Sign all Windows binaries.
* build-aux/speedo.mk (AUTHENTICODE_SIGNHOST): New. (AUTHENTICODE_TOOL): New. (AUTHENTICODE_FILES): New. (installer): Sign listed files. (AUTHENTICODE_SIGNHOST): New macro. (sign-installer): Use that macro instead of direct use of osslsigncode. -- This also adds code to support signing via a Token. Because there is no specification of that token, I was not able to write a free driver for it. Thus we resort to use a running Windows-10 instance with an enabled ssh server to do the code signing. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
781d2c5c89
commit
e6901c2bc8
@ -157,9 +157,41 @@ INST_NAME=gnupg-w32
|
||||
# Use this to override the installaion directory for native builds.
|
||||
INSTALL_PREFIX=none
|
||||
|
||||
# The Authenticode key and cert chain used to sign the Windows installer
|
||||
# The Authenticode key and cert chain used to sign the Windows
|
||||
# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
|
||||
# that host using the Windows signtool. The signhost is usually an
|
||||
# entry in .ssh/config. Depending on the used token it might be
|
||||
# necessary to allow single signon and unlock the token before running
|
||||
# this makefile. All files given in AUTHENTICODE_FILES are signed
|
||||
# before they are put into the installer.
|
||||
AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||
AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
|
||||
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
|
||||
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
|
||||
AUTHENTICODE_FILES= \
|
||||
dirmngr.exe \
|
||||
dirmngr_ldap.exe \
|
||||
gpg-agent.exe \
|
||||
gpg-connect-agent.exe \
|
||||
gpg-preset-passphrase.exe \
|
||||
gpg-wks-client.exe \
|
||||
gpg.exe \
|
||||
gpgconf.exe \
|
||||
gpgme-w32spawn.exe \
|
||||
gpgsm.exe \
|
||||
gpgtar.exe \
|
||||
gpgv.exe \
|
||||
libassuan-0.dll \
|
||||
libgcrypt-20.dll \
|
||||
libgpg-error-0.dll \
|
||||
libgpgme-11.dll \
|
||||
libksba-8.dll \
|
||||
libnpth-0.dll \
|
||||
libsqlite3-0.dll \
|
||||
pinentry-w32.exe \
|
||||
scdaemon.exe \
|
||||
zlib1.dll
|
||||
|
||||
|
||||
|
||||
# Directory names.
|
||||
@ -1211,7 +1243,22 @@ ifeq ($(WITH_GUI),1)
|
||||
extra_installer_options += -DWITH_GUI=1
|
||||
endif
|
||||
|
||||
# Note that we sign only when doing the final installer.
|
||||
installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
|
||||
(set -e;\
|
||||
cd "$(idir)"; \
|
||||
if echo "$(idir)" | grep -q '/PLAY-release/' ; then \
|
||||
for f in $(AUTHENTICODE_FILES); do \
|
||||
if [ -f "bin/$$f" ]; then \
|
||||
$(call AUTHENTICODE_sign,"bin/$$f","bin/$$f");\
|
||||
elif [ -f "libexec/$$f" ]; then \
|
||||
$(call AUTHENTICODE_sign,"libexec/$$f","libexec/$$f");\
|
||||
else \
|
||||
echo "speedo: WARNING: file '$$f' not available for signing";\
|
||||
fi;\
|
||||
done; \
|
||||
fi \
|
||||
)
|
||||
$(MAKENSIS) -V2 \
|
||||
-DINST_DIR=$(idir) \
|
||||
-DINST6_DIR=$(idir6) \
|
||||
@ -1237,6 +1284,28 @@ define MKSWDB_commands
|
||||
) | tee $(1).swdb
|
||||
endef
|
||||
|
||||
# Sign the file $1 and save the result as $2
|
||||
define AUTHENTICODE_sign
|
||||
set -e;\
|
||||
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
||||
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
||||
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
||||
ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
|
||||
/n '"g10 Code GmbH"' \
|
||||
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
||||
/fd sha256 /du https://gnupg.org a.exe ;\
|
||||
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
|
||||
echo "speedo: signed file is '$(2)'" ;\
|
||||
else \
|
||||
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
|
||||
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
|
||||
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
|
||||
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
|
||||
-h sha256 -n GnuPG -i https://gnupg.org \
|
||||
-in $(1) -out $(2) ;\
|
||||
fi
|
||||
endef
|
||||
|
||||
|
||||
# Build the installer from the source tarball.
|
||||
installer-from-source: dist-source
|
||||
@ -1265,13 +1334,8 @@ sign-installer:
|
||||
exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
|
||||
echo "speedo: /*" ;\
|
||||
echo "speedo: * Signing installer" ;\
|
||||
echo "speedo: * Key: $(AUTHENTICODE_KEY)";\
|
||||
echo "speedo: */" ;\
|
||||
osslsigncode sign -certs $(AUTHENTICODE_CERTS)\
|
||||
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
|
||||
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
|
||||
-h sha256 -n GnuPG -i https://gnupg.org \
|
||||
-in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
|
||||
$(call AUTHENTICODE_sign,"PLAY/inst/$$exefile","../../$$exefile");\
|
||||
exefile="../../$$exefile" ;\
|
||||
$(call MKSWDB_commands,$${exefile},$${reldate}); \
|
||||
echo "speedo: /*" ;\
|
||||
|
Loading…
x
Reference in New Issue
Block a user