Skip to content

Windows: Change code signing process to match new key #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Windows: Change code signing process to match new key #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions build-release.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,17 @@ exec > >(tee -a "out/logs/build-release") 2>&1
source ./config.sh

can_sign_windows=0
if [ ! -z "${SIGN_KEYSTORE}" ] && [ ! -z "${SIGN_PASSWORD}" ] && [[ $(type -P "osslsigncode") ]]; then
if [ ! -z "${WINDOWS_SIGN_NAME}" ] && [ ! -z "${WINDOWS_SIGN_URL}" ] && [[ $(type -P "osslsigncode") ]]; then
can_sign_windows=1
else
echo "Disabling Windows binary signing as config.sh does not define the required data (SIGN_KEYSTORE, SIGN_PASSWORD), or osslsigncode can't be found in PATH."
echo "Disabling Windows binary signing as config.sh does not define the required data (WINDOWS_SIGN_NAME, WINDOWS_SIGN_URL), or osslsigncode can't be found in PATH."
fi

sign_windows() {
if [ $can_sign_windows == 0 ]; then
return
fi
osslsigncode sign -pkcs12 ${SIGN_KEYSTORE} -pass "${SIGN_PASSWORD}" -n "${SIGN_NAME}" -i "${SIGN_URL}" -t http://timestamp.comodoca.com -in $1 -out $1-signed
P11_KIT_SERVER_ADDRESS=unix:path=/run/p11-kit/p11kit.sock osslsigncode sign -pkcs11module /usr/lib64/pkcs11/p11-kit-client.so -pkcs11cert 'pkcs11:model=SimplySign%20C' -key 'pkcs11:model=SimplySign%20C' -t http://time.certum.pl/ -n "${WINDOWS_SIGN_NAME}" -i "${WINDOWS_SIGN_URL}" -in $1 -out $1-signed
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hpvb Is there some of it that should be moved to config.sh so third-parties using our scripts can also do their own signing with the same system?

I don't see any "secret" so I guess the actual key registration happens server side and it's accessed though p11-kit? Should we document how this works?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there's nothing secret about that, now that the container is ready (https://github.com/hpvb/certum-container) we could probably just document it. But that would work only for Certum, not necessarily other CAs

Digicert, globalsign, and sertigo all have different systems, although the container could probably be adapted for other CAs. There's no way for me to do that tho without buying a bunch more certs.

mv $1-signed $1
}

Expand Down
12 changes: 3 additions & 9 deletions config.sh.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,19 +52,13 @@ export BUILD_NAME='custom_build'
# Default number of parallel cores for each build.
export NUM_CORES=16

# Set up your own signing keystore and relevant details below.
# Set up your own Windows signing details below.
# If you do not fill all SIGN_* fields, signing will be skipped.

# Path to pkcs12 archive.
export SIGN_KEYSTORE=''

# Password for the private key.
export SIGN_PASSWORD=''

# Name and URL of the signed application.
# Use your own when making a thirdparty build.
export SIGN_NAME=''
export SIGN_URL=''
export WINDOWS_SIGN_NAME=''
export WINDOWS_SIGN_URL=''

# Hostname or IP address of an OSX host (Needed for signing)
# eg 'user@10.1.0.10'
Expand Down