summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkali <kali@win>2020-10-27 23:38:13 +0100
committerkali kaneko (leap communications) <kali@leap.se>2020-11-04 12:33:29 +0100
commit3dc345bc2b9f600974df6acce84ab671ab8c8e5d (patch)
treed7b050c0acb26a8cfb5678dfd7f3131767440963
parentbfd3419b4fafaad1f9f87bda0810fe4f7c73578b (diff)
[pkg] sign windows binaries
- Resolves: #383
-rw-r--r--Makefile39
-rw-r--r--branding/templates/windows/sign.py21
-rw-r--r--docs/build.windows.rst33
3 files changed, 69 insertions, 24 deletions
diff --git a/Makefile b/Makefile
index db5e508..90b0b1e 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ APPNAME ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam appname
TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname | tail -n 1)
PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]")
VERSION ?= $(shell git describe)
+WINCERTPASS ?= pass
# go paths
GOPATH = $(shell go env GOPATH)
@@ -89,6 +90,9 @@ lib/%.a: $(PKGFILES)
@XBUILD=no ./gui/build.sh --just-golib
relink_vendor:
+ifeq ($(PLATFORM), windows)
+ rm -rf providers/assets
+endif
ifeq ($(VENDOR_PATH), providers)
@unlink providers/assets || true
@ln -s ${PROVIDER}/assets providers/assets
@@ -110,7 +114,30 @@ build_helper:
build_openvpn:
@[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh
-installer: check_qtifw build_openvpn build
+dosign:
+ifeq (${PLATFORM}, windows)
+ "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-file-version ${VERSION}
+ "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-product-version ${VERSION}
+ "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project"
+ "c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "VPN Application provided by ${PROVIDER}"
+ "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe
+ cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe
+ "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION}
+ "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION}
+ "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string ProductName "bitmask-helper-v2"
+ "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string CompanyName "LEAP Encryption Access Project"
+ "c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string FileDescription "Administrative helper for ${TARGET}"
+ "c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/bin/${PLATFORM}/bitmask-helper.exe
+endif
+
+checksign:
+ifeq (${PLATFORM}, windows)
+ @"c:\windows\system32\sigcheck.exe" ${QTBUILD}/release/${TARGET}.exe
+ @"c:\windows\system32\sigcheck.exe" build/bin/${PLATFORM}/bitmask-helper.exe
+ @"c:\windows\system32\sigcheck.exe" "/c/Program Files/OpenVPN/bin/openvpn.exe"
+endif
+
+installer: check_qtifw checksign
@mkdir -p ${INST_DATA}
@cp -r ${TEMPLATES}/qtinstaller/packages ${INSTALLER}
@cp -r ${TEMPLATES}/qtinstaller/installer.pro ${INSTALLER}
@@ -132,7 +159,7 @@ ifeq (${PLATFORM}, darwin)
endif
ifeq (${PLATFORM}, windows)
@VERSION=${VERSION} VENDOR_PATH=${VENDOR_PATH} ${SCRIPTS}/gen-qtinstaller windows ${INSTALLER}
- @cp build/bin/${PLATFORM}/bitmask-helper ${INST_DATA}helper.exe
+ @cp build/bin/${PLATFORM}/bitmask-helper.exe ${INST_DATA}helper.exe
ifeq (${VENDOR_PATH}, providers)
@cp ${VENDOR_PATH}/${PROVIDER}/assets/icon.ico ${INST_DATA}/icon.ico
else
@@ -142,8 +169,8 @@ endif
# FIXME get the signed binaries with curl from openvpn downloads page - see if we have to adapt the openvpn-build to install tap drivers etc from our installer.
@cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA}
@cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA}
- # FIXME add sign options
@windeployqt --qmldir gui/qml ${INST_DATA}${TARGET}.exe
+ #@windeployqt --release --qmldir gui/qml ${INST_DATA}${TARGET}.exe
# TODO stage it to shave some time
@wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe
endif
@@ -154,6 +181,12 @@ endif
@echo "[+] Now building the installer."
@cd build/installer && qmake VENDOR_PATH=${VENDOR_PATH} INSTALLER=${APPNAME}-installer-${VERSION} && make
+sign_installer:
+ifeq (${PLATFORM}, windows)
+ # TODO add flag to skip signing for regular builds
+ "c:\windows\system32\signtool.exe" sign -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/installer/${APPNAME}-installer-${VERSION}.exe
+endif
+
check_qtifw:
ifdef HAS_QTIFW
@echo "[+] Found QTIFW"
diff --git a/branding/templates/windows/sign.py b/branding/templates/windows/sign.py
deleted file mode 100644
index 53b89a8..0000000
--- a/branding/templates/windows/sign.py
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env python3
-"""
-This script is expected to be called from the main makefile, that should pass
-the content of the WIN_CERT_PASS variable as the second argument.
-"""
-import subprocess
-import os
-import sys
-
-WIN_CERT_PATH = sys.argv[1]
-WIN_CERT_PASS = sys.argv[2]
-SIGNTOOL = "signtool"
-
-VERSION = subprocess.run(
- 'git describe --tags',
- stdout=subprocess.PIPE).stdout.strip()
-
-installer = "RiseupVPN-" + str(VERSION, 'utf-8') + '.exe'
-target = str(os.path.join(os.path.abspath('.'), 'dist', installer))
-cmd = [SIGNTOOL, "sign", "/f", WIN_CERT_PATH, "/p", WIN_CERT_PASS, target]
-subprocess.run(cmd)
diff --git a/docs/build.windows.rst b/docs/build.windows.rst
index 27edcbc..8743126 100644
--- a/docs/build.windows.rst
+++ b/docs/build.windows.rst
@@ -15,3 +15,36 @@ Assuming you have the vendor path in place and correctly configured, all you nee
export PATH="/c/Qt/Qt5/bin/":"/c/Qt/QtIFW-3.2.2/bin":$PATH
export VENDOR_PATH=providers
make vendor && make installer
+
+
+checking signatures
+-------------------
+we should be signing all binaries on a release build.
+
+to check the binaries have proper signatures, you can use the sigcheck
+utilities, part of the sysinternals suite:
+
+https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
+
+unzip and place sigcheck.exe somewhere in your path.
+
+make sure to pass -accepteula parameter on some manual run so that it does not
+ask again.
+
+adding metadata to binaries
+---------------------------
+TODO: add metadata properly
+https://github.com/electron/rcedit/releases/tag/v1.1.1
+https://stackoverflow.com/questions/284258/how-do-i-set-the-version-information-for-an-existing-exe-dll
+
+the steps to do release signatures are::
+
+ make build
+ make dosign
+ make installer
+ make sign_installer
+
+
+unreviewed notes
+----------------
+see comment about patching dlls and windeployqt not being needed anymore https://stackoverflow.com/a/61910592