Windows installer is code-signed

We now use osslsigncode to sign the windows binaries. The Windows Installer as well as the dlls and exes are being signed. For now only with a dummy certificate. Also refactored the specfile a bit
bareos · Apr 28, 2015 · 974fdaa · 974fdaa
1 parent 4b2b7d7
commit 974fdaa
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 52 deletions.
diff --git a/platforms/win32/winbareos-nsi.spec b/platforms/win32/winbareos-nsi.spec
@@ -75,6 +75,8 @@ BuildRequires:  mingw64-lzo
 BuildRequires:  mingw32-libfastlz
 BuildRequires:  mingw64-libfastlz
 
+BuildRequires:  osslsigncode
+
 Source1:         winbareos.nsi
 Source2:         clientdialog.ini
 Source3:         directordialog.ini
@@ -84,6 +86,10 @@ Source6:         bareos.ico
 Source7:         AccessControl.dll
 Source8:         LogEx.dll
 Source9:         databasedialog.ini
+
+# code signing cert
+Source10:        ia.p12
+Source11:        signpassword
 %description
 bareos
 
@@ -109,20 +115,18 @@ do
    cp %SOURCE7 $RPM_BUILD_ROOT/$flavor/nsisplugins  #  AccessControl
    cp %SOURCE8 $RPM_BUILD_ROOT/$flavor/nsisplugins  #  LogEx
 
-   mkdir -p $RPM_BUILD_ROOT/$flavor/release32
-   mkdir -p $RPM_BUILD_ROOT/$flavor/release64
+   for BITS in 32 64; do
+      mkdir -p $RPM_BUILD_ROOT/$flavor/release${BITS}
 
-# copy the sql ddls over
-   cp -av /etc/$flavor/mingw32-winbareos/ddl $RPM_BUILD_ROOT/$flavor/release32
-   cp -av /etc/$flavor/mingw64-winbareos/ddl $RPM_BUILD_ROOT/$flavor/release64
-
-# copy the sources over if we create debug package
-   %if %{WIN_DEBUG} == "yes"
-   cp -av /bareos-*debug*  $RPM_BUILD_ROOT/$flavor/release32
-   cp -av /bareos-*debug*  $RPM_BUILD_ROOT/$flavor/release64
-   %endif
+      # copy the sql ddls over
+      cp -av /etc/$flavor/mingw${BITS}-winbareos/ddl $RPM_BUILD_ROOT/$flavor/release${BITS}
 
+      # copy the sources over if we create debug package
+      %if %{WIN_DEBUG} == "yes"
+      cp -av /bareos-*debug*  $RPM_BUILD_ROOT/$flavor/release${BITS}
+      %endif
 
+   done
 
    for file in \
       bareos-fd.exe \
@@ -142,11 +146,14 @@ do
       libbareos.dll \
       libbareosfind.dll \
       libbareoslmdb.dll \
-      libbareoscats*.dll \
-      libbareossd*.dll ;
+      libbareoscats-postgresql.dll libbareoscats-sqlite3.dll libbareoscats.dll\
+      libbareossd.dll ;
    do
       cp %{_mingw32_bindir}/$flavor/$file $RPM_BUILD_ROOT/$flavor/release32
       cp %{_mingw64_bindir}/$flavor/$file $RPM_BUILD_ROOT/$flavor/release64
+
+      osslsigncode verify -in $RPM_BUILD_ROOT/$flavor/release32/$file
+      osslsigncode verify -in $RPM_BUILD_ROOT/$flavor/release64/$file
    done
 
 
@@ -172,20 +179,18 @@ do
       cp %{_mingw64_bindir}/$file $RPM_BUILD_ROOT/$flavor/release64
    done
 
-   for cfg in /etc/$flavor/mingw32-winbareos/*.conf; do
-      cp $cfg $RPM_BUILD_ROOT/$flavor/release32
-   done
-
-   for cfg in /etc/$flavor/mingw64-winbareos/*.conf; do
-      cp $cfg $RPM_BUILD_ROOT/$flavor/release64
-   done
+   for BITS in 32 64; do
 
-   cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE6 %SOURCE9 %_sourcedir/LICENSE $RPM_BUILD_ROOT/$flavor/release32
-   cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE6 %SOURCE9 %_sourcedir/LICENSE $RPM_BUILD_ROOT/$flavor/release64
+      for cfg in /etc/$flavor/mingw${BITS}-winbareos/*.conf; do
+         cp $cfg $RPM_BUILD_ROOT/$flavor/release${BITS}
+      done
 
-   makensis -DVERSION=%version -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=32 -DWIN_DEBUG=%{WIN_DEBUG} $RPM_BUILD_ROOT/$flavor/release32/winbareos.nsi
-   makensis -DVERSION=%version -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=64 -DWIN_DEBUG=%{WIN_DEBUG} $RPM_BUILD_ROOT/$flavor/release64/winbareos.nsi
+      cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE6 %SOURCE9 \
+               %_sourcedir/LICENSE $RPM_BUILD_ROOT/$flavor/release${BITS}
 
+      makensis -DVERSION=%version -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=${BITS} \
+               -DWIN_DEBUG=%{WIN_DEBUG} $RPM_BUILD_ROOT/$flavor/release${BITS}/winbareos.nsi
+   done
 done
 
 %install
@@ -196,14 +201,26 @@ do
    mkdir -p $RPM_BUILD_ROOT%{_mingw64_bindir}
 
    FLAVOR=`echo "%name" | sed 's/winbareos-nsi-//g'`
+   DESCRIPTION="Bareos installer version %version"
+   URL="http://www.bareos.com"
 
-   cp $RPM_BUILD_ROOT/$flavor/release32/Bareos*.exe $RPM_BUILD_ROOT/winbareos-%version-$flavor-32-bit-r%release.exe
-   cp $RPM_BUILD_ROOT/$flavor/release64/Bareos*.exe $RPM_BUILD_ROOT/winbareos-%version-$flavor-64-bit-r%release.exe
+   for BITS in 32 64; do
+      cp $RPM_BUILD_ROOT/$flavor/release${BITS}/Bareos*.exe \
+           $RPM_BUILD_ROOT/winbareos-%version-$flavor-${BITS}-bit-r%release-unsigned.exe
 
-   rm -R $RPM_BUILD_ROOT/$flavor/release32
-   rm -R $RPM_BUILD_ROOT/$flavor/release64
-   rm -R $RPM_BUILD_ROOT/$flavor/nsisplugins
+      osslsigncode  -pkcs12 %SOURCE10 -pass `cat %SOURCE11` -n "${DESCRIPTION}" -i http://www.bareos.com/ \
+                    -in  $RPM_BUILD_ROOT/winbareos-%version-$flavor-${BITS}-bit-r%release-unsigned.exe \
+                    -out $RPM_BUILD_ROOT/winbareos-%version-$flavor-${BITS}-bit-r%release.exe
+
+      osslsigncode verify -in $RPM_BUILD_ROOT/winbareos-%version-$flavor-${BITS}-bit-r%release.exe
+
+      rm $RPM_BUILD_ROOT/winbareos-%version-$flavor-${BITS}-bit-r%release-unsigned.exe
 
+      rm -R $RPM_BUILD_ROOT/$flavor/release${BITS}
+
+   done
+
+   rm -R $RPM_BUILD_ROOT/$flavor/nsisplugins
 done
 
 %clean

diff --git a/platforms/win32/winbareos32.spec b/platforms/win32/winbareos32.spec
@@ -34,13 +34,17 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 #!BuildIgnore: post-build-checks
 
-Source1:       fillup.sed
-Source2:       vss_headers.tar
-Source3:       vdi_headers.tar
-Source4:       pgsql-libpq.tar
+Source1:        fillup.sed
+Source2:        vss_headers.tar
+Source3:        vdi_headers.tar
+Source4:        pgsql-libpq.tar
 
-Patch1:        tray-monitor-conf.patch
-Patch2:        tray-monitor-conf-fd-sd.patch
+# code signing cert
+Source10:       ia.p12
+Source11:       signpassword
+
+Patch1:         tray-monitor-conf.patch
+Patch2:         tray-monitor-conf-fd-sd.patch
 
 BuildRequires:  mingw32-filesystem
 BuildRequires:  mingw32-cross-gcc
@@ -80,6 +84,8 @@ BuildRequires:  mingw32-libsqlite-devel
 BuildRequires:  sed
 BuildRequires:  vim, procps, bc
 
+BuildRequires:  osslsigncode
+
 %description
 bareos
 
@@ -170,12 +176,9 @@ make WIN_DEBUG=yes BUILD_QTGUI=%{BUILD_QTGUI} WIN_VERSION=%{WIN_VERSION} WIN_VIS
 cd -
 
 %install
-
-
 for flavor in `echo "%flavors"`; do
 
    mkdir -p $RPM_BUILD_ROOT%{_mingw32_bindir}/$flavor
-
    mkdir -p $RPM_BUILD_ROOT/etc/$flavor/%name
 
    pushd $flavor/src/win32
@@ -229,9 +232,21 @@ for flavor in `echo "%flavors"`; do
    do
       sed -f %SOURCE1 $sql -i ;
    done
-done
-
 
+   # sign binary files
+   pushd $RPM_BUILD_ROOT%{_mingw32_bindir}/$flavor
+   for BINFILE in *; do
+      mv $BINFILE $BINFILE.unsigned
+      osslsigncode -pkcs12 %SOURCE10 \
+                   -pass `cat %SOURCE11` \
+                   -n "${DESCRIPTION}" \
+                   -i http://www.bareos.com/ \
+                   -in  $BINFILE.unsigned \
+                   -out $BINFILE
+      rm *.unsigned
+   done
+   popd
+done
 
 %clean
 rm -rf $RPM_BUILD_ROOT

diff --git a/platforms/win32/winbareos64.spec b/platforms/win32/winbareos64.spec
@@ -34,13 +34,17 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 #!BuildIgnore: post-build-checks
 
-Source1:       fillup.sed
-Source2:       vss_headers.tar
-Source3:       vdi_headers.tar
-Source4:       pgsql-libpq.tar
+Source1:        fillup.sed
+Source2:        vss_headers.tar
+Source3:        vdi_headers.tar
+Source4:        pgsql-libpq.tar
 
-Patch1:        tray-monitor-conf.patch
-Patch2:        tray-monitor-conf-fd-sd.patch
+# code signing cert
+Source10:       ia.p12
+Source11:       signpassword
+
+Patch1:         tray-monitor-conf.patch
+Patch2:         tray-monitor-conf-fd-sd.patch
 
 BuildRequires:  mingw64-filesystem
 BuildRequires:  mingw64-cross-gcc
@@ -80,6 +84,8 @@ BuildRequires:  mingw64-libsqlite-devel
 BuildRequires:  sed
 BuildRequires:  vim, procps, bc
 
+BuildRequires:  osslsigncode
+
 %description
 bareos
 
@@ -170,12 +176,9 @@ make WIN_DEBUG=yes BUILD_QTGUI=%{BUILD_QTGUI} WIN_VERSION=%{WIN_VERSION} WIN_VIS
 cd -
 
 %install
-
-
 for flavor in `echo "%flavors"`; do
 
    mkdir -p $RPM_BUILD_ROOT%{_mingw64_bindir}/$flavor
-
    mkdir -p $RPM_BUILD_ROOT/etc/$flavor/%name
 
    pushd $flavor/src/win32
@@ -219,7 +222,7 @@ for flavor in `echo "%flavors"`; do
 
    popd
 
-   mkdir -p  $RPM_BUILD_ROOT/etc/$flavor/%name/ddl
+   mkdir -p $RPM_BUILD_ROOT/etc/$flavor/%name/ddl
    for i in creates drops grants updates; do
       mkdir $RPM_BUILD_ROOT/etc/$flavor/%name/ddl/$i/
       cp -av src/cats/ddl/$i/postgres* $RPM_BUILD_ROOT/etc/$flavor/%name/ddl/$i/
@@ -229,9 +232,21 @@ for flavor in `echo "%flavors"`; do
    do
       sed -f %SOURCE1 $sql -i ;
    done
-done
-
 
+   # sign binary files
+   pushd $RPM_BUILD_ROOT%{_mingw64_bindir}/$flavor
+   for BINFILE in *; do
+      mv $BINFILE $BINFILE.unsigned
+      osslsigncode -pkcs12 %SOURCE10 \
+                   -pass `cat %SOURCE11` \
+                   -n "${DESCRIPTION}" \
+                   -i http://www.bareos.com/ \
+                   -in  $BINFILE.unsigned \
+                   -out $BINFILE
+      rm *.unsigned
+   done
+   popd
+done
 
 %clean
 rm -rf $RPM_BUILD_ROOT