-
Notifications
You must be signed in to change notification settings - Fork 36k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitian windows signing normalization #6354
Conversation
ed4989d
to
50221f3
Compare
Minor nit: NSIS shouldn't output installers with |
Thanks! @Michagogo That comment sounds sensible to me. |
Ok, I'll revert that and change the name in the win descriptor instead. |
There's still the difference in where the tools for the signature application are built... It seems weird to have to manually download those files when we already have a process for fetching and building things that we need for the build process, which is used for OS X. And there's also the fact that the OS X tarball is a full package of everything you need to apply the signature, while Windows is just the installer binaries. |
Oh, and are the process and tools for creating the detached signature (the commands/script to perform the signing and detach the signature) in the repo somewhere? They are in OS X ( |
This is an ideal version of what the release process should look like, making it more consistent with the OS X process. Some of the changes described here would need to be made in the descriptors, which is somewhat beyond what I would feel comfortable doing, not really understanding the signature process in depth. [skip ci]
50221f3
to
6e849b8
Compare
@Michagogo Manually download which files? The idea is to distribute the Windows and OSX signatures in the same way, through the If you mean the |
Updated as suggested. @Michagogo All of those differences come from the fact that building the osx attacher is a nasty, complicated process, while the Linux attacher is a simple tool. Since signing is only used during the gitian/release process, I don't see any point in adding osslsigntool to depends. |
utACK |
@Michagogo as for instructions for signing and maybe a wrapper around osslsigntool to make it foolproof, that's a reasonable suggestion. I'll add that soonish. Not a blocker here, though. |
I assume you mean the Windows attacher. Okay, I guess that makes sense. As mentioned in IRC recently, it's considered a good practice to also sign the binaries inside the installer, but that's also not worth delaying this (and rc3) for, since on Windows the place where it's actually user-facing is the UAC prompt on installation, as opposed to on Macs where the actual binary that runs needs to be signed. BTW, do we also timestamp? |
Yes |
This is an ideal version of what the release process should look like, making it more consistent with the OS X process. Some of the changes described here would need to be made in the descriptors, which is somewhat beyond what I would feel comfortable doing, not really understanding the signature process in depth. [skip ci] Github-Pull: #6354 Rebased-From: 6e849b8
@Michagogo here's a quick go at a signing script that matches the current process. Note that the modified osslsigncode is needed for the "-pem" option. #!/bin/sh
set -e
TIMESTAMP_URL=http://timestamp.comodoca.com/authenticode
if [ ! -n "$1" ]; then
echo "usage: $0 <extra osslsigncode args>"
echo "example: $0 -pkcs12 /path/to/keys.p12 -pass mypass"
exit 1
fi
if [ -z ${OSSLSIGNCODE} ]; then
OSSLSIGNCODE=osslsigncode
fi
find . -name "*-unsigned.exe" | while read i; do
echo "Signing: ${i}"
INFILE="`basename "${i}"`"
OUTFILE="`echo "${INFILE}".temp`"
SIG="`echo "${INFILE}".pem`"
${OSSLSIGNCODE} sign "$@" -t ${TIMESTAMP_URL} -in "${INFILE}" -out "${OUTFILE}"
${OSSLSIGNCODE} extract-signature -pem -in "${OUTFILE}" -out "${SIG}"
rm "${OUTFILE}"
done |
You probably want to quote the |
I noticed while signing 0.11.0rc3: Let's do the same for the latter e.g. remove the -signed, add the version, so The new process works great apart from that. |
Sorry for yet another PR here. This one includes @Michagogo's suggestions and doc changes. It replaces #6343 and #6342.
Teach gitian to output a -win-unsigned.tar.gz similar to OSX. The signer will attempt to combine any "-unsigned.exe" with a matching "*-unsigned.exe.pem" from the detatched signature repo.
Also note that the new target signature dir for windows has changed from "${VERSION}-win" to "${VERSION}-win-unsigned".
Tested with a phony tag and signature.
Safe for backport, should be good to go for rc3.