mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-03 12:11:33 +01:00
build: Sign all Windows binaries.
* build-aux/speedo.mk (AUTHENTICODE_SIGNHOST): New. (AUTHENTICODE_TOOL): New. (AUTHENTICODE_FILES): New. (installer): Sign listed files. (AUTHENTICODE_SIGNHOST): New macro. (sign-installer): Use that macro instead of direct use of osslsigncode. -- This also adds code to support signing via a Token. Because there is no specification of that token, I was not able to write a free driver for it. Thus we resort to use a running Windows-10 instance with an enabled ssh server to do the code signing. Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
781d2c5c89
commit
e6901c2bc8
@ -157,9 +157,41 @@ INST_NAME=gnupg-w32
|
|||||||
# Use this to override the installaion directory for native builds.
|
# Use this to override the installaion directory for native builds.
|
||||||
INSTALL_PREFIX=none
|
INSTALL_PREFIX=none
|
||||||
|
|
||||||
# The Authenticode key and cert chain used to sign the Windows installer
|
# The Authenticode key and cert chain used to sign the Windows
|
||||||
|
# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
|
||||||
|
# that host using the Windows signtool. The signhost is usually an
|
||||||
|
# entry in .ssh/config. Depending on the used token it might be
|
||||||
|
# necessary to allow single signon and unlock the token before running
|
||||||
|
# this makefile. All files given in AUTHENTICODE_FILES are signed
|
||||||
|
# before they are put into the installer.
|
||||||
|
AUTHENTICODE_SIGNHOST=authenticode-signhost
|
||||||
|
AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
|
||||||
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
|
AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
|
||||||
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
|
AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
|
||||||
|
AUTHENTICODE_FILES= \
|
||||||
|
dirmngr.exe \
|
||||||
|
dirmngr_ldap.exe \
|
||||||
|
gpg-agent.exe \
|
||||||
|
gpg-connect-agent.exe \
|
||||||
|
gpg-preset-passphrase.exe \
|
||||||
|
gpg-wks-client.exe \
|
||||||
|
gpg.exe \
|
||||||
|
gpgconf.exe \
|
||||||
|
gpgme-w32spawn.exe \
|
||||||
|
gpgsm.exe \
|
||||||
|
gpgtar.exe \
|
||||||
|
gpgv.exe \
|
||||||
|
libassuan-0.dll \
|
||||||
|
libgcrypt-20.dll \
|
||||||
|
libgpg-error-0.dll \
|
||||||
|
libgpgme-11.dll \
|
||||||
|
libksba-8.dll \
|
||||||
|
libnpth-0.dll \
|
||||||
|
libsqlite3-0.dll \
|
||||||
|
pinentry-w32.exe \
|
||||||
|
scdaemon.exe \
|
||||||
|
zlib1.dll
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Directory names.
|
# Directory names.
|
||||||
@ -1211,7 +1243,22 @@ ifeq ($(WITH_GUI),1)
|
|||||||
extra_installer_options += -DWITH_GUI=1
|
extra_installer_options += -DWITH_GUI=1
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
# Note that we sign only when doing the final installer.
|
||||||
installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
|
installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
|
||||||
|
(set -e;\
|
||||||
|
cd "$(idir)"; \
|
||||||
|
if echo "$(idir)" | grep -q '/PLAY-release/' ; then \
|
||||||
|
for f in $(AUTHENTICODE_FILES); do \
|
||||||
|
if [ -f "bin/$$f" ]; then \
|
||||||
|
$(call AUTHENTICODE_sign,"bin/$$f","bin/$$f");\
|
||||||
|
elif [ -f "libexec/$$f" ]; then \
|
||||||
|
$(call AUTHENTICODE_sign,"libexec/$$f","libexec/$$f");\
|
||||||
|
else \
|
||||||
|
echo "speedo: WARNING: file '$$f' not available for signing";\
|
||||||
|
fi;\
|
||||||
|
done; \
|
||||||
|
fi \
|
||||||
|
)
|
||||||
$(MAKENSIS) -V2 \
|
$(MAKENSIS) -V2 \
|
||||||
-DINST_DIR=$(idir) \
|
-DINST_DIR=$(idir) \
|
||||||
-DINST6_DIR=$(idir6) \
|
-DINST6_DIR=$(idir6) \
|
||||||
@ -1237,6 +1284,28 @@ define MKSWDB_commands
|
|||||||
) | tee $(1).swdb
|
) | tee $(1).swdb
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
# Sign the file $1 and save the result as $2
|
||||||
|
define AUTHENTICODE_sign
|
||||||
|
set -e;\
|
||||||
|
if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
|
||||||
|
echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
|
||||||
|
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
|
||||||
|
ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
|
||||||
|
/n '"g10 Code GmbH"' \
|
||||||
|
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
|
||||||
|
/fd sha256 /du https://gnupg.org a.exe ;\
|
||||||
|
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
|
||||||
|
echo "speedo: signed file is '$(2)'" ;\
|
||||||
|
else \
|
||||||
|
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
|
||||||
|
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
|
||||||
|
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
|
||||||
|
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
|
||||||
|
-h sha256 -n GnuPG -i https://gnupg.org \
|
||||||
|
-in $(1) -out $(2) ;\
|
||||||
|
fi
|
||||||
|
endef
|
||||||
|
|
||||||
|
|
||||||
# Build the installer from the source tarball.
|
# Build the installer from the source tarball.
|
||||||
installer-from-source: dist-source
|
installer-from-source: dist-source
|
||||||
@ -1265,13 +1334,8 @@ sign-installer:
|
|||||||
exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
|
exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
|
||||||
echo "speedo: /*" ;\
|
echo "speedo: /*" ;\
|
||||||
echo "speedo: * Signing installer" ;\
|
echo "speedo: * Signing installer" ;\
|
||||||
echo "speedo: * Key: $(AUTHENTICODE_KEY)";\
|
|
||||||
echo "speedo: */" ;\
|
echo "speedo: */" ;\
|
||||||
osslsigncode sign -certs $(AUTHENTICODE_CERTS)\
|
$(call AUTHENTICODE_sign,"PLAY/inst/$$exefile","../../$$exefile");\
|
||||||
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
|
|
||||||
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
|
|
||||||
-h sha256 -n GnuPG -i https://gnupg.org \
|
|
||||||
-in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
|
|
||||||
exefile="../../$$exefile" ;\
|
exefile="../../$$exefile" ;\
|
||||||
$(call MKSWDB_commands,$${exefile},$${reldate}); \
|
$(call MKSWDB_commands,$${exefile},$${reldate}); \
|
||||||
echo "speedo: /*" ;\
|
echo "speedo: /*" ;\
|
||||||
|
Loading…
x
Reference in New Issue
Block a user