Windows: Update code signing to support SHA256

Change-Id: I324e7c56fd73a744127c50e8fc136e8b23d860b0
heimdal · Apr 19, 2016 · a234ee5 · a234ee5
1 parent bc20b5f
commit a234ee5
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 11 deletions.
diff --git a/packages/windows/assembly/NTMakefile b/packages/windows/assembly/NTMakefile
@@ -96,6 +96,7 @@ $(ASMKRBDIR)\$(ASMKRBNAME).cat: $(ASMKRBDIR)\$(ASMKRBMAN).cdf
 	cd $(ASMKRBDIR)
 	$(MAKECAT) $**
 	$(_CODESIGN)
+	$(_CODESIGN_SHA256)
 	cd $(SRCDIR)
 
 asm-krb: \
@@ -170,6 +171,7 @@ $(POLKRBCAT): $(POLKRBFILE).cdf
 	cd $(POLKRBDIR)
 	$(MAKECAT) $**
 	$(_CODESIGN)
+	$(_CODESIGN_SHA256)
 	cd $(SRCDIR)
 
 all:: $(POLKRBFILE) $(POLKRBCAT)

diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32
@@ -500,6 +500,7 @@ _VC_MANIFEST_CLEAN= \
 
 !ifdef CODESIGN
 _CODESIGN=( $(CODESIGN) $@ )
+_CODESIGN_SHA256=( $(CODESIGN_SHA256) $@ )
 !else
 
 !ifndef SIGNTOOL
@@ -509,10 +510,14 @@ SIGNTOOL=signtool.exe
 !ifdef SIGNTOOL_C
 
 !ifndef SIGNTOOL_T
-SIGNTOOL_T=/t http://timestamp.verisign.com/scripts/timstamp.dll
+SIGNTOOL_T=http://timestamp.verisign.com/scripts/timstamp.dll
+!endif
+!ifndef SIGNTOOL_T_SHA256
+SIGNTOOL_T_SHA256=http://timestamp.geotrust.com/tsa
 !endif
 
-_CODESIGN=( $(SIGNTOOL) sign $(SIGNTOOL_O) $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ )
+_CODESIGN=( $(SIGNTOOL) sign /fd sha1 $(SIGNTOOL_O) /t $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ )
+_CODESIGN_SHA256=( $(SIGNTOOL) sign /as /fd sha256 $(SIGNTOOL_O) /tr $(SIGNTOOL_T_SHA256) $(SIGNTOOL_C) /v $@ )
 !else
 _CODESIGN=( echo Skipping code sign )
 !endif
@@ -546,22 +551,22 @@ SYMSTORE_IMPORT=@echo No symbol store
 # prepare binaries.
 
 EXEPREP=\
-( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 )
+( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
 
 EXEPREP_NOHEIM=\
-( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 )
+( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
 
 EXEPREP_NODIST=\
 ( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 )
 
 DLLPREP=\
-( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 )
+( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
 
 DLLPREP_NODIST=\
 ( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 )
 
 DLLPREP_MERGE=\
-( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 )
+( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
 
 #----------------------------------------------------------------------
 # Convenience macros for import libraries and assemblies

diff --git a/windows/README.md b/windows/README.md
@@ -35,13 +35,16 @@ work, but have not been tested.
   (Required for running tests).  These can be found in the Cygwin
   distribution.  MinGW or GnuWin32 may also be used instead of Cygwin.
   However, a recent build of `makeinfo` is required for building the
-  documentation.
+  documentation. Cygwin makeinfo 4.7 is known to work.
 
 * __Certificate for code-signing__: The Heimdal build produces a
   number of Assemblies that should be signed if they are to be
   installed via Windows Installer.  In addition, all executable
   binaries produced by the build including installers can be signed
   and timestamped if a code-signing certificate is available.
+  As of 1 January 2016 Windows 7 and above require the use of sha256
+  signatures.  The signtool.exe provided with Windows SDK 8.1 or
+  later must be used.
 
 [1]: http://wix.sourceforge.net/
 
@@ -82,23 +85,34 @@ work, but have not been tested.
 
         set SIGNTOOL_C=/f c:\mycerts\codesign.pfx
 
+	set SIGNTOOL_C=/n "Certificate Subject Name" /a
+
   - `SIGNTOOL_O`: Signing parameter options for `signtool`. Optional.
 
     E.g.:
 
         set SIGNTOOL_O=/du http://example.com/myheimdal
 
-  - `SIGNTOOL_T`: Timestamp options for `signtool`.  If not specified,
-    defaults to `/t http://timestamp.verisign.com/scripts/timstamp.dll`.
+  - `SIGNTOOL_T`: SHA1 Timestamp URL for `signtool`.  If not specified,
+    defaults to `http://timestamp.verisign.com/scripts/timstamp.dll`.
+
+  - `SIGNTOOL_T_SHA256`: SHA256 Timestamp URL for `signtool`.  If not
+    specified, defaults to `http://timestamp.geotrust.com/tsa`.
 
-  - `CODESIGN`: Code signer command.  This environment variable, if
+  - `CODESIGN`: SHA1 Code signer command.  This environment variable, if
     defined, overrides the `SIGNTOOL_*` variables.  It should be
     defined to be a command that takes one parameter: the binary to be
     signed.
 
+  - `CODESIGN_SHA256`: SHA256 Code signer command.  This environment variable, if
+    defined, applies a second SHA256 signature to the parameter.  It should be
+    defined to be a command that takes one parameter: the binary to be
+    signed.
+
     E.g.:
 
         set CODESIGN=c:\scripts\mycodesigner.cmd
+	set CODESIGN_SHA256=c:\scripts\mycodesigner256.cmd
 
 * Define the code sign public key token.  This is contained in the
   environment variable `CODESIGN_PKT` and is needed to build the
@@ -134,7 +148,7 @@ The build can also be invoked from any subdirectory that contains an
 inter-dependencies between directories and therefore it is recommended
 that a full build be invoked from the root of the source tree.
 
-Tests can be invoked as:
+Tests can be invoked, after a full build, by executing:
 
     nmake /f NTMakefile test