Gitian windows signing normalization #6354
Conversation
theuni
force-pushed
the
gitian-winsign-normalize
branch
from
ed4989d
to
50221f3
Compare
|
Minor nit: NSIS shouldn't output installers with |
|
Thanks! @Michagogo That comment sounds sensible to me. |
|
Ok, I'll revert that and change the name in the win descriptor instead. |
|
There's still the difference in where the tools for the signature application are built... It seems weird to have to manually download those files when we already have a process for fetching and building things that we need for the build process, which is used for OS X. And there's also the fact that the OS X tarball is a full package of everything you need to apply the signature, while Windows is just the installer binaries. |
|
Oh, and are the process and tools for creating the detached signature (the commands/script to perform the signing and detach the signature) in the repo somewhere? They are in OS X ( |
This is an ideal version of what the release process should look like, making it more consistent with the OS X process. Some of the changes described here would need to be made in the descriptors, which is somewhat beyond what I would feel comfortable doing, not really understanding the signature process in depth. [skip ci]
theuni
force-pushed
the
gitian-winsign-normalize
branch
from
50221f3
to
6e849b8
Compare
|
@Michagogo Manually download which files? The idea is to distribute the Windows and OSX signatures in the same way, through the If you mean the |
|
Updated as suggested. @Michagogo All of those differences come from the fact that building the osx attacher is a nasty, complicated process, while the Linux attacher is a simple tool. Since signing is only used during the gitian/release process, I don't see any point in adding osslsigntool to depends. |
|
utACK |
|
@Michagogo as for instructions for signing and maybe a wrapper around osslsigntool to make it foolproof, that's a reasonable suggestion. I'll add that soonish. Not a blocker here, though. |
|
I assume you mean the Windows attacher. Okay, I guess that makes sense. As mentioned in IRC recently, it's considered a good practice to also sign the binaries inside the installer, but that's also not worth delaying this (and rc3) for, since on Windows the place where it's actually user-facing is the UAC prompt on installation, as opposed to on Macs where the actual binary that runs needs to be signed. BTW, do we also timestamp? |
|
Yes |
This is an ideal version of what the release process should look like, making it more consistent with the OS X process. Some of the changes described here would need to be made in the descriptors, which is somewhat beyond what I would feel comfortable doing, not really understanding the signature process in depth. [skip ci] Github-Pull: #6354 Rebased-From: 6e849b8
|
@Michagogo here's a quick go at a signing script that matches the current process. Note that the modified osslsigncode is needed for the "-pem" option. #!/bin/sh
set -e
TIMESTAMP_URL=http://timestamp.comodoca.com/authenticode
if [ ! -n "$1" ]; then
echo "usage: $0 <extra osslsigncode args>"
echo "example: $0 -pkcs12 /path/to/keys.p12 -pass mypass"
exit 1
fi
if [ -z ${OSSLSIGNCODE} ]; then
OSSLSIGNCODE=osslsigncode
fi
find . -name "*-unsigned.exe" | while read i; do
echo "Signing: ${i}"
INFILE="`basename "${i}"`"
OUTFILE="`echo "${INFILE}".temp`"
SIG="`echo "${INFILE}".pem`"
${OSSLSIGNCODE} sign "$@" -t ${TIMESTAMP_URL} -in "${INFILE}" -out "${OUTFILE}"
${OSSLSIGNCODE} extract-signature -pem -in "${OUTFILE}" -out "${SIG}"
rm "${OUTFILE}"
done |
|
You probably want to quote the |
|
I noticed while signing 0.11.0rc3: Let's do the same for the latter e.g. remove the -signed, add the version, so The new process works great apart from that. |
Sorry for yet another PR here. This one includes @Michagogo's suggestions and doc changes. It replaces #6343 and #6342.
Teach gitian to output a -win-unsigned.tar.gz similar to OSX. The signer will attempt to combine any "-unsigned.exe" with a matching "*-unsigned.exe.pem" from the detatched signature repo.
Also note that the new target signature dir for windows has changed from "${VERSION}-win" to "${VERSION}-win-unsigned".
Tested with a phony tag and signature.
Safe for backport, should be good to go for rc3.