diff options
| author | kali <kali@win> | 2020-10-27 23:38:13 +0100 |
|---|---|---|
| committer | kali kaneko (leap communications) <kali@leap.se> | 2020-11-04 12:33:29 +0100 |
| commit | 3dc345bc2b9f600974df6acce84ab671ab8c8e5d (patch) | |
| tree | d7b050c0acb26a8cfb5678dfd7f3131767440963 | |
| parent | bfd3419b4fafaad1f9f87bda0810fe4f7c73578b (diff) | |
[pkg] sign windows binaries
- Resolves: #383
| -rw-r--r-- | Makefile | 39 | ||||
| -rw-r--r-- | branding/templates/windows/sign.py | 21 | ||||
| -rw-r--r-- | docs/build.windows.rst | 33 |
3 files changed, 69 insertions, 24 deletions
@@ -12,6 +12,7 @@ APPNAME ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam appname TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname | tail -n 1) PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]") VERSION ?= $(shell git describe) +WINCERTPASS ?= pass # go paths GOPATH = $(shell go env GOPATH) @@ -89,6 +90,9 @@ lib/%.a: $(PKGFILES) @XBUILD=no ./gui/build.sh --just-golib relink_vendor: +ifeq ($(PLATFORM), windows) + rm -rf providers/assets +endif ifeq ($(VENDOR_PATH), providers) @unlink providers/assets || true @ln -s ${PROVIDER}/assets providers/assets @@ -110,7 +114,30 @@ build_helper: build_openvpn: @[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh -installer: check_qtifw build_openvpn build +dosign: +ifeq (${PLATFORM}, windows) + "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-file-version ${VERSION} + "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-product-version ${VERSION} + "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project" + "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "VPN Application provided by ${PROVIDER}" + "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe + cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe + "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION} + "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION} + "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string ProductName "bitmask-helper-v2" + "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string CompanyName "LEAP Encryption Access Project" + "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string FileDescription "Administrative helper for ${TARGET}" + "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/bin/${PLATFORM}/bitmask-helper.exe +endif + +checksign: +ifeq (${PLATFORM}, windows) + @"c:\windows\system32\sigcheck.exe" ${QTBUILD}/release/${TARGET}.exe + @"c:\windows\system32\sigcheck.exe" build/bin/${PLATFORM}/bitmask-helper.exe + @"c:\windows\system32\sigcheck.exe" "/c/Program Files/OpenVPN/bin/openvpn.exe" +endif + +installer: check_qtifw checksign @mkdir -p ${INST_DATA} @cp -r ${TEMPLATES}/qtinstaller/packages ${INSTALLER} @cp -r ${TEMPLATES}/qtinstaller/installer.pro ${INSTALLER} @@ -132,7 +159,7 @@ ifeq (${PLATFORM}, darwin) endif ifeq (${PLATFORM}, windows) @VERSION=${VERSION} VENDOR_PATH=${VENDOR_PATH} ${SCRIPTS}/gen-qtinstaller windows ${INSTALLER} - @cp build/bin/${PLATFORM}/bitmask-helper ${INST_DATA}helper.exe + @cp build/bin/${PLATFORM}/bitmask-helper.exe ${INST_DATA}helper.exe ifeq (${VENDOR_PATH}, providers) @cp ${VENDOR_PATH}/${PROVIDER}/assets/icon.ico ${INST_DATA}/icon.ico else @@ -142,8 +169,8 @@ endif # FIXME get the signed binaries with curl from openvpn downloads page - see if we have to adapt the openvpn-build to install tap drivers etc from our installer. @cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA} @cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA} - # FIXME add sign options @windeployqt --qmldir gui/qml ${INST_DATA}${TARGET}.exe + #@windeployqt --release --qmldir gui/qml ${INST_DATA}${TARGET}.exe # TODO stage it to shave some time @wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe endif @@ -154,6 +181,12 @@ endif @echo "[+] Now building the installer." @cd build/installer && qmake VENDOR_PATH=${VENDOR_PATH} INSTALLER=${APPNAME}-installer-${VERSION} && make +sign_installer: +ifeq (${PLATFORM}, windows) + # TODO add flag to skip signing for regular builds + "c:\windows\system32\signtool.exe" sign -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/installer/${APPNAME}-installer-${VERSION}.exe +endif + check_qtifw: ifdef HAS_QTIFW @echo "[+] Found QTIFW" diff --git a/branding/templates/windows/sign.py b/branding/templates/windows/sign.py deleted file mode 100644 index 53b89a8..0000000 --- a/branding/templates/windows/sign.py +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env python3 -""" -This script is expected to be called from the main makefile, that should pass -the content of the WIN_CERT_PASS variable as the second argument. -""" -import subprocess -import os -import sys - -WIN_CERT_PATH = sys.argv[1] -WIN_CERT_PASS = sys.argv[2] -SIGNTOOL = "signtool" - -VERSION = subprocess.run( - 'git describe --tags', - stdout=subprocess.PIPE).stdout.strip() - -installer = "RiseupVPN-" + str(VERSION, 'utf-8') + '.exe' -target = str(os.path.join(os.path.abspath('.'), 'dist', installer)) -cmd = [SIGNTOOL, "sign", "/f", WIN_CERT_PATH, "/p", WIN_CERT_PASS, target] -subprocess.run(cmd) diff --git a/docs/build.windows.rst b/docs/build.windows.rst index 27edcbc..8743126 100644 --- a/docs/build.windows.rst +++ b/docs/build.windows.rst @@ -15,3 +15,36 @@ Assuming you have the vendor path in place and correctly configured, all you nee export PATH="/c/Qt/Qt5/bin/":"/c/Qt/QtIFW-3.2.2/bin":$PATH export VENDOR_PATH=providers make vendor && make installer + + +checking signatures +------------------- +we should be signing all binaries on a release build. + +to check the binaries have proper signatures, you can use the sigcheck +utilities, part of the sysinternals suite: + +https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite + +unzip and place sigcheck.exe somewhere in your path. + +make sure to pass -accepteula parameter on some manual run so that it does not +ask again. + +adding metadata to binaries +--------------------------- +TODO: add metadata properly +https://github.com/electron/rcedit/releases/tag/v1.1.1 +https://stackoverflow.com/questions/284258/how-do-i-set-the-version-information-for-an-existing-exe-dll + +the steps to do release signatures are:: + + make build + make dosign + make installer + make sign_installer + + +unreviewed notes +---------------- +see comment about patching dlls and windeployqt not being needed anymore https://stackoverflow.com/a/61910592 |