[Pkg-gnupg-commit] [gnupg2] 161/180: build: Add target to sign the windows installer.

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Dec 24 22:29:23 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch master
in repository gnupg2.

commit 284ec54495dddc9eb0232e959cf994234097578a
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Dec 19 18:34:24 2016 +0100

    build: Add target to sign the windows installer.
    
    * build-aux/speedo.mk (w32-sign-installer): New.
    (AUTHENTICODE_KEY): New.
    (installer-from-source): Use cp instead of mv.  Factor code out to ...
    (MKSWDB_commands): new macro.
    (sign-installer): New.
    --
    
    Obviously this is more convenient then doing this all by hand.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>
---
 build-aux/speedo.mk | 67 ++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 53 insertions(+), 14 deletions(-)

diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index fbe258c..8a366e6 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -52,12 +52,13 @@ SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
 help:
 	@echo 'usage: make -f speedo.mk TARGET'
 	@echo '       with TARGET being one of:'
-	@echo '  help           This help'
-	@echo '  native         Native build of the GnuPG core'
-	@echo '  native-gui     Ditto but with pinentry and GPA'
-	@echo '  w32-installer  Build a Windows installer'
-	@echo '  w32-source     Pack a source archive'
-	@echo '  w32-release    Build a Windows release'
+	@echo '  help               This help'
+	@echo '  native             Native build of the GnuPG core'
+	@echo '  native-gui         Ditto but with pinentry and GPA'
+	@echo '  w32-installer      Build a Windows installer'
+	@echo '  w32-source         Pack a source archive'
+	@echo '  w32-release        Build a Windows release'
+	@echo '  w32-sign-installer Sign the installer'
 	@echo
 	@echo 'You may append INSTALL_PREFIX=<dir> for native builds.'
 	@echo 'Prepend TARGET with "git-" to build from GIT repos.'
@@ -109,6 +110,10 @@ w32-release: check-tools
 	$(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
                                                    installer-from-source
 
+w32-sign-installer: check-tools
+	$(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+                                                   sign-installer
+
 w32-release-offline: check-tools
 	$(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
 	  CUSTOM_SWDB=1 pkgrep=${HOME}/b pkg10rep=${HOME}/b  \
@@ -148,6 +153,9 @@ INST_NAME=gnupg-w32
 # Use this to override the installaion directory for native builds.
 INSTALL_PREFIX=none
 
+# The Authenticode key used to sign the Windows installer
+AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
+
 
 # Directory names.
 # They must be absolute, as we switch directories pretty often.
@@ -1162,6 +1170,18 @@ installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
 		    $(extra_installer_options) $(w32src)/inst.nsi
 	@echo "Ready: $(idir)/$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe"
 
+
+define MKSWDB_commands
+ ( pref="#+macro: gnupg21_w32_" ;\
+   echo "$${pref}ver  $(INST_VERSION)_$(BUILD_DATESTR)"  ;\
+   echo "$${pref}date $(2)" ;\
+   echo "$${pref}size $$(wc -c <$(1)|awk '{print int($$1/1024)}')k";\
+   echo "$${pref}sha1 $$(sha1sum <$(1)|cut -d' ' -f1)" ;\
+   echo "$${pref}sha2 $$(sha256sum <$(1)|cut -d' ' -f1)" ;\
+ ) | tee $(1).swdb
+endef
+
+
 # Build the installer from the source tarball.
 installer-from-source: dist-source
 	(set -e;\
@@ -1173,17 +1193,36 @@ installer-from-source: dist-source
          $(MAKE) -f build-aux/speedo.mk this-w32-installer SELFCHECK=0;\
 	 reldate="$$(date -u +%Y-%m-%d)" ;\
 	 exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
-	 mv "PLAY/inst/$$exefile" ../.. ;\
+	 cp "PLAY/inst/$$exefile" ../.. ;\
+	 exefile="../../$$exefile" ;\
+	 $(call MKSWDB_commands,$${exefile},$${reldate}); \
+	)
+
+# This target repeats some of the installer-from-source steps but it
+# is intended to be called interactively, so that the passphrase can be
+# entered.
+sign-installer:
+	@(set -e; \
+	 cd PLAY-release; \
+	 cd $(INST_NAME)-$(INST_VERSION); \
+	 reldate="$$(date -u +%Y-%m-%d)" ;\
+	 exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
+	 echo "speedo: /*" ;\
+	 echo "speedo:  * Signing installer" ;\
+	 echo "speedo:  * Key: $(AUTHENTICODE_KEY)";\
+	 echo "speedo:  */" ;\
+	 osslsigncode sign -pkcs12 $(AUTHENTICODE_KEY) -askpass \
+            -h sha256 -in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
 	 exefile="../../$$exefile" ;\
-	 ( pref="#+macro: gnupg21_w32_" ;\
-         echo "$${pref}ver  $(INST_VERSION)_$(BUILD_DATESTR)"  ;\
-         echo "$${pref}date $${reldate}" ;\
-         echo "$${pref}size $$(wc -c <$$exefile|awk '{print int($$1/1024)}')k";\
-	 echo "$${pref}sha1 $$(sha1sum <$$exefile|cut -d' ' -f1)" ;\
-	 echo "$${pref}sha2 $$(sha256sum <$$exefile|cut -d' ' -f1)" ;\
-	 ) | tee $$exefile.swdb ;\
+	 $(call MKSWDB_commands,$${exefile},$${reldate}); \
+	 echo "speedo: /*" ;\
+	 echo "speedo:  * Verification result" ;\
+	 echo "speedo:  */" ;\
+         osslsigncode verify $${exefile} \
 	)
 
+
+
 endif
 # }}} W32
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

More information about the Pkg-gnupg-commit mailing list