[feat] windows templates

author: Kali Kaneko (leap communications) <kali@leap.se> 2019-07-10 17:12:00 +0200
committer: Ruben Pollan <meskio@sindominio.net> 2019-08-05 11:46:12 -0400
commit: e635c5b43df0ed6f28c05429dae126d645ac8717 (patch)
tree: 5879cb4d24a00a357264196bcb5bf48bd3500bc7 /branding
parent: 92ea8778813ddffe6187e0ce300638fdefe1bf5e (diff)
14 files changed, 334 insertions, 35 deletions
diff --git a/branding/config/vendor.conf b/branding/config/vendor.conf
index 12fca4e..f0f42c1 100644
--- a/branding/config/vendor.conf
+++ b/branding/config/vendor.conf
@@ -13,6 +13,7 @@ providerURL         = riseup.net
 apiURL              = https://api.black.riseup.net/
 caURL               = https://black.riseup.net/ca.crt
 
+infoURL             = https://riseup.net/vpn
 tosURL              = https://riseup.net/tos
 helpURL             = https://riseup.net/support
 
@@ -27,11 +28,15 @@ donateURL           = https://riseup.net/donate
 name                = Calyx
 applicationName     = CalyxVPN
 binaryName          = calyx-vpn
+
 providerURL         = https://calyx.net
-tosURL              = https://calyx.net/tos
-helpURL             = https://calyx.net/support
 apiURL              = https://api.calyx.net:4430/
 caURL               = https://calyx.net/ca.crt
+
+infoURL             = https://calyx.net/
+tosURL              = https://calyx.net/tos
+helpURL             = https://calyx.net/support
+
 geolocationAPI      = https://api.black.riseup.net:9001/json
 
 askForDonations     = true
diff --git a/branding/scripts/TODO b/branding/scripts/TODO
new file mode 100644
index 0000000..95ca345
--- /dev/null
+++ b/branding/scripts/TODO
@@ -0,0 +1,2 @@
+-[ ] sanity check scrit
+-[ ] assets convertion script
diff --git a/branding/scripts/__init__.py b/branding/scripts/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/branding/scripts/__init__.py
diff --git a/branding/scripts/generate-win.py b/branding/scripts/generate-win.py
new file mode 100755
index 0000000..fb15f22
--- /dev/null
+++ b/branding/scripts/generate-win.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+
+import json
+import os
+import sys
+
+import configparser
+
+from provider import getDefaultProvider
+from provider import getProviderData
+
+
+VERSION = os.environ.get('VERSION', 'unknown')
+
+
+def writeOutput(data, outfile):
+
+    with open(outfile, 'w') as outf:
+        outf.write(json.dumps(data))
+
+
+if __name__ == "__main__":
+    env_provider_conf = os.environ.get('PROVIDER_CONFIG')
+    if env_provider_conf:
+        if os.path.isfile(env_provider_conf):
+            print("[+] Overriding provider config per "
+                  "PROVIDER_CONFIG variable")
+            configfile = env_provider_conf
+
+    config = configparser.ConfigParser()
+    config.read(configfile)
+    provider = getDefaultProvider(config)
+    data = getProviderData(provider, config)
+
+    if len(sys.argv) != 2:
+        print('Usage: generate-win.py <output_file>')
+        sys.exit(1)
+
+    outputf = sys.argv[1]
+
+    data['applicationNameLower'] = data.get('applicationName').lower()
+    data['URL'] = data.get('infoURL')
+    data['version'] = VERSION
+    writeOutput(data, outputf)
diff --git a/branding/scripts/provider.py b/branding/scripts/provider.py
new file mode 100644
index 0000000..867007e
--- /dev/null
+++ b/branding/scripts/provider.py
@@ -0,0 +1,32 @@
+import datetime
+import os
+
+
+def getDefaultProvider(config):
+    provider = os.environ.get('PROVIDER')
+    if provider:
+        print('[+] Got provider {} from environemnt'.format(provider))
+    else:
+        print('[+] Using default provider from config file')
+        provider = config['default']['provider']
+    return provider
+
+
+def getProviderData(provider, config):
+    print("[+] Configured provider:", provider)
+
+    c = config[provider]
+    d = dict()
+
+    keys = ('name', 'applicationName', 'binaryName',
+            'providerURL', 'tosURL', 'helpURL',
+            'donateURL', 'apiURL', 'geolocationAPI', 'caCertString')
+
+    for value in keys:
+        d[value] = c.get(value)
+
+    d['timeStamp'] = '{:%Y-%m-%d %H:%M:%S}'.format(
+        datetime.datetime.now())
+
+    return d
+
diff --git a/branding/scripts/vendorize.py b/branding/scripts/vendorize.py
index dc19952..59edae0 100755
--- a/branding/scripts/vendorize.py
+++ b/branding/scripts/vendorize.py
@@ -1,47 +1,20 @@
 #!/usr/bin/env python3
 
-import datetime
 import os
 import sys
 
 from string import Template
 import configparser
 
+from provider import getDefaultProvider
+from provider import getProviderData
+
 OUTFILE = 'config.go'
-INFILE = 'config.go.tmpl'
-CONFIGFILE = 'config/vendor.conf'
+INFILE = '../templates/golang/config.go'
+CONFIGFILE = '../config/vendor.conf'
 SCRIPT_NAME = 'vendorize'
 
 
-def getDefaultProvider(config):
-    provider = os.environ.get('PROVIDER')
-    if provider:
-        print('[+] Got provider {} from environemnt'.format(provider))
-    else:
-        print('[+] Using default provider from config file')
-        provider = config['default']['provider']
-    return provider
-
-
-def getProviderData(provider, config):
-    print("[+] Configured provider:", provider)
-
-    c = config[provider]
-    d = dict()
-
-    keys = ('name', 'applicationName', 'binaryName',
-            'providerURL', 'tosURL', 'helpURL',
-            'donateURL', 'apiURL', 'geolocationAPI', 'caCertString')
-
-    for value in keys:
-        d[value] = c.get(value)
-
-    d['timeStamp'] = '{:%Y-%m-%d %H:%M:%S}'.format(
-        datetime.datetime.now())
-
-    return d
-
-
 def addCaData(data, configfile):
     provider = data.get('name').lower()
     folder, f = os.path.split(configfile)
@@ -91,7 +64,8 @@ if __name__ == "__main__":
     env_provider_conf = os.environ.get('PROVIDER_CONFIG')
     if env_provider_conf:
         if os.path.isfile(env_provider_conf):
-            print("[+] Overriding provider config per PROVIDER_CONFIG variable")
+            print("[+] Overriding provider config per "
+                  "PROVIDER_CONFIG variable")
             configfile = env_provider_conf
 
     if not os.path.isfile(infile):
diff --git a/branding/templates/windows/generate.py b/branding/templates/windows/generate.py
new file mode 100755
index 0000000..427b7a8
--- /dev/null
+++ b/branding/templates/windows/generate.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+"""
+generate.py
+
+Generate a NSI installer for a given provider.
+"""
+
+import json
+import os
+from string import Template
+
+
+TEMPLATE = 'template.nsi'
+
+
+def get_files(which):
+    files = "\n"
+    if which == 'install':
+        action = "File "
+    elif which == 'uninstall':
+        action = "Delete $INSTDIR\\"
+    else:
+        action = ""
+
+    # TODO get relative path
+    for item in open('payload/' + which).readlines():
+        files += "  {action}{item}".format(
+            action=action, item=item)
+    return files
+
+
+here = os.path.split(os.path.realpath(__file__))[0]
+data = json.load(open(os.path.join(here, 'data.json')))
+data['extra_install_files'] = get_files('install')
+data['extra_uninstall_files'] = get_files('uninstall')
+
+import pprint
+pprint.pprint(data)
+
+INSTALLER = data['applicationName'] + '-installer.nsi'
+
+
+template = Template(open(TEMPLATE).read())
+with open(INSTALLER, 'w') as output:
+    output.write(template.safe_substitute(data))
+
+print("[+] NSIS installer script written to {path}".format(path=INSTALLER))
diff --git a/branding/templates/windows/payload/install b/branding/templates/windows/payload/install
new file mode 100755
index 0000000..da9a195
--- /dev/null
+++ b/branding/templates/windows/payload/install
@@ -0,0 +1,9 @@
+..\staging\bitmask_helper.exe
+..\staging\bitmask-vpn.exe
+..\staging\libcrypto-1_1-x64.dll
+..\staging\liblzo2-2.dll
+..\staging\libpkcs11-helper-1.dll
+..\staging\libssl-1_1-x64.dll
+..\staging\padlock.dll
+..\staging\openvpn\openvpn.exe
+..\staging\openvpn\tap-windows.exe
diff --git a/branding/templates/windows/payload/uninstall b/branding/templates/windows/payload/uninstall
new file mode 100755
index 0000000..7c7df24
--- /dev/null
+++ b/branding/templates/windows/payload/uninstall
@@ -0,0 +1,13 @@
+icon.ico
+openssl.exe
+openvpn.exe
+ssleay32.dll
+libeay32.dll
+liblzo2-2.dll
+libpkcs11-helper-1.dll
+libcrypto-1_1-x64.dll
+libssl-1_1-x64.dll
+padlock.dll
+bitmask_helper.exe
+bitmask-vpn.exe
+tap-windows.exe
diff --git a/branding/templates/windows/sign.py b/branding/templates/windows/sign.py
new file mode 100644
index 0000000..5b6b2c6
--- /dev/null
+++ b/branding/templates/windows/sign.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+"""
+This script is expected to be called from the main makefile, that should pass
+the content of the WIN_CERT_PASS variable as the second argument.
+
+Just make sure that $GOPATH is properly configured.
+"""
+import subprocess
+import os
+import sys
+
+WIN_CERT_PATH = sys.argv[1]
+WIN_CERT_PASS = sys.argv[2]
+SIGNTOOL = "signtool"
+
+GOPATH = os.environ.get('GOPATH')
+VERSION = subprocess.run(
+    'git -C ' + GOPATH +
+    '\\src\\0xacab.org\\leap\\bitmask-vpn describe --tags',
+    stdout=subprocess.PIPE).stdout.strip()
+
+installer = "RiseupVPN-" + str(VERSION, 'utf-8') + '.exe'
+target = str(os.path.join(os.path.abspath('.'), 'dist', installer))
+cmd = [SIGNTOOL, "sign", "/f", WIN_CERT_PATH, "/p", WIN_CERT_PASS, target]
+subprocess.run(cmd)
diff --git a/branding/templates/windows/template.nsi b/branding/templates/windows/template.nsi
new file mode 100755
index 0000000..f644b89
--- /dev/null
+++ b/branding/templates/windows/template.nsi
@@ -0,0 +1,130 @@
+SetCompressor /SOLID lzma
+
+!define PRODUCT_PUBLISHER "LEAP Encryption Access Project"
+!include "MUI2.nsh"
+
+Name "$applicationName"
+Outfile "..\bin\$applicationName-$version.exe"
+;TODO make the installdir configurable - and set it in the registry.
+InstallDir "C:\Program Files\$applicationName\"
+RequestExecutionLevel admin
+
+!include FileFunc.nsh
+!insertmacro GetParameters
+!insertmacro GetOptions
+
+;Macros
+
+!macro SelectByParameter SECT PARAMETER DEFAULT
+	${GetOptions} $R0 "/${PARAMETER}=" $0
+	${If} ${DEFAULT} == 0
+		${If} $0 == 1
+			!insertmacro SelectSection ${SECT}
+		${EndIf}
+	${Else}
+		${If} $0 != 0
+			!insertmacro SelectSection ${SECT}
+		${EndIf}
+	${EndIf}
+!macroend
+
+
+
+!define BITMAP_FILE riseupvpn.bmp
+
+!define MUI_ICON "..\assets\$applicationNameLower.ico"
+!define MUI_UNICON "..\assets\$applicationNameLower.ico"
+
+!define MUI_WELCOMEPAGE_TITLE "$applicationName"
+!define MUI_WELCOMEPAGE_TEXT "This will install $applicationName in your computer. $applicationName is a simple, fast and secure VPN Client, powered by Bitmask. \n This VPN service is run by donations from people like you."
+#!define MUI_WELCOMEFINISHPAGE_BITMAP "riseup.png"
+
+!insertmacro MUI_PAGE_WELCOME
+!insertmacro MUI_PAGE_INSTFILES
+!insertmacro MUI_PAGE_FINISH
+ 
+ 
+
+Section "InstallFiles"
+  ; first we try to delete the systray, locked by the app.
+  ClearErrors
+  Delete 'C:\Program Files\$applicationName\bitmask-vpn.exe'
+  IfErrors 0 noError
+
+  ; Error handling
+  MessageBox MB_OK|MB_ICONEXCLAMATION "$applicationName is Running. Please close it, and then run this installer again."
+  Abort
+
+  noError:
+  ExecShellWait "runas" "$INSTDIR\nssm.exe" 'stop $applicationNameLower-helper'
+  ExecShellWait "runas" "$INSTDIR\nssm.exe" 'remove $applicationNameLower-helper confirm'
+
+  SetOutPath $INSTDIR 
+  WriteUninstaller $INSTDIR\uninstall.exe
+
+  ; Add ourselves to Add/remove programs
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "DisplayName" "$applicationName"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "UninstallString" '"$INSTDIR\uninstall.exe"'
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "InstallLocation" "$INSTDIR"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "DisplayIcon" "$INSTDIR\icon.ico"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "Readme" "$INSTDIR\readme.txt"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "DisplayVersion" "$version"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "Publisher" "LEAP Encryption Access Project"
+  WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "NoModify" 1
+  WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower" "NoRepair" 1
+
+  ;Start Menu
+  createDirectory "$SMPROGRAMS\$applicationName\"
+  createShortCut "$SMPROGRAMS\$applicationName\$applicationName.lnk" "$INSTDIR\bitmask-vpn.exe" "" "$INSTDIR\icon.ico"
+
+  File "readme.txt"
+  File "..\staging\nssm.exe"
+  File "/oname=icon.ico" "..\assets\$applicationNameLower.ico"
+
+  $extra_install_files
+
+SectionEnd
+
+Section "InstallService"
+  ; Easy service management thanks to nssm
+  ExecWait '"$INSTDIR\nssm.exe" install $applicationNameLower-helper "$INSTDIR\bitmask_helper.exe"'
+  ExecWait '"$INSTDIR\nssm.exe" set $applicationNameLower-helper AppDirectory "$INSTDIR"'
+  ExecWait '"$INSTDIR\nssm.exe" start $applicationNameLower-helper'
+SectionEnd
+
+Section /o "TAP Virtual Ethernet Adapter" SecTAP
+	; Adapted from the windows nsis installer from OpenVPN (openvpn-build repo).
+	DetailPrint "Installing TAP (may need confirmation)..."
+	; The /S flag make it "silent", remove it if you want it explicit
+  	ExecWait '"$INSTDIR\tap-windows.exe" /S /SELECT_UTILITIES=1'
+	Pop $R0 # return value/error/timeout
+	WriteRegStr HKLM "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$applicationName" "tap" "installed"
+	DetailPrint "TAP installed!"
+SectionEnd
+
+Section "Uninstall"
+  ExecShellWait "runas" "$INSTDIR\nssm.exe" 'stop $applicationNameLower-helper'
+  ExecShellWait "runas" "$INSTDIR\nssm.exe" 'remove $applicationNameLower-helper confirm'
+
+  Delete $INSTDIR\readme.txt
+  Delete $INSTDIR\nssm.exe
+  Delete $INSTDIR\helper.log
+  Delete "$SMPROGRAMS\$applicationName\$applicationName.lnk"
+  RMDir "$SMPROGRAMS\$applicationName\"
+
+  $extra_uninstall_files
+
+  DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$applicationNameLower"
+  ; uninstaller must be always the last thing to remove
+  Delete $INSTDIR\uninstall.exe
+  RMDir $INSTDIR
+SectionEnd
+
+Function .onInit
+	!insertmacro SelectByParameter ${SecTAP} SELECT_TAP 1
+FunctionEnd
+
+;----------------------------------------
+;Languages
+ 
+!insertmacro MUI_LANGUAGE "English"
diff --git a/branding/templates/windows/tools/README-cert.txt b/branding/templates/windows/tools/README-cert.txt
new file mode 100644
index 0000000..e532997
--- /dev/null
+++ b/branding/templates/windows/tools/README-cert.txt
@@ -0,0 +1 @@
+openssl pkcs12 -inkey privatekey.pem -in signing_cert.pem -export -out LEAP.pfx
diff --git a/branding/templates/windows/tools/README-signtool.txt b/branding/templates/windows/tools/README-signtool.txt
new file mode 100644
index 0000000..51ebbf5
--- /dev/null
+++ b/branding/templates/windows/tools/README-signtool.txt
@@ -0,0 +1,17 @@
+Source: https://stackoverflow.com/questions/31869552/how-to-install-signtool-exe-for-windows-10
+-----------------------------------------------------------------------------------------------
+
+If you only want SignTool and really want to minimize the install, here is a way that I just reverse-engineered my way to:
+
+Download the .iso file from https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk (current download link is http://go.microsoft.com/fwlink/p/?LinkID=2022797) The .exe download will not work, since it's an online installer that pulls down its dependencies at runtime.
+Unpack the .iso with a tool such as 7-zip.
+Install the Installers/Windows SDK Signing Tools-x86_en-us.msi file - it's only 388 KiB large. For reference, it pulls in its files from the following .cab files, so these are also needed for a standalone install:
+4c3ef4b2b1dc72149f979f4243d2accf.cab (339 KiB)
+    685f3d4691f444bc382762d603a99afc.cab (1002 KiB)
+    e5c4b31ff9997ac5603f4f28cd7df602.cab (389 KiB)
+    e98fa5eb5fee6ce17a7a69d585870b7c.cab (1.2 MiB)
+    There we go - you will now have the signtool.exe file and companions in C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64 (replace x64 with x86, arm or arm64 if you need it for another CPU architecture.)
+
+It is also possible to commit  signtool.exe and the other files from this folder into your version control repository if want to use it in e.g. CI scenarios. I have tried and it seems to work fine.
+
+(All files are probably not necessary since there are also some other .exe tools in this folder that might be responsible for these dependencies, but I am not sure which ones could be removed to make the set of files even smaller. Someone else is free to investigate further in this area. :) I tried to just copy signtool.* and that didn't work, so at least some of the other files are needed.)
diff --git a/branding/templates/windows/tools/windows10-signing.zip b/branding/templates/windows/tools/windows10-signing.zip
new file mode 100644
index 0000000..2d1858d
--- /dev/null
+++ b/branding/templates/windows/tools/windows10-signing.zip
author	Kali Kaneko (leap communications) <kali@leap.se>	2019-07-10 17:12:00 +0200
committer	Ruben Pollan <meskio@sindominio.net>	2019-08-05 11:46:12 -0400
commit	e635c5b43df0ed6f28c05429dae126d645ac8717 (patch)
tree	5879cb4d24a00a357264196bcb5bf48bd3500bc7 /branding
parent	92ea8778813ddffe6187e0ce300638fdefe1bf5e (diff)