Skip to content
Snippets Groups Projects
Unverified Commit 3dc345bc authored by kali's avatar kali Committed by Kali Kaneko
Browse files

[pkg] sign windows binaries 

- Resolves: #383
parent bfd3419b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Makefile
+ 36
3
View file @ 3dc345bc
...@@ -12,6 +12,7 @@ APPNAME ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam appname ...@@ -12,6 +12,7 @@ APPNAME ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam appname
TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname | tail -n 1) TARGET ?= $(shell VENDOR_PATH=${VENDOR_PATH} branding/scripts/getparam binname | tail -n 1)
PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]") PROVIDER ?= $(shell grep ^'provider =' ${VENDOR_PATH}/vendor.conf | cut -d '=' -f 2 | tr -d "[:space:]")
VERSION ?= $(shell git describe) VERSION ?= $(shell git describe)
WINCERTPASS ?= pass
# go paths # go paths
GOPATH = $(shell go env GOPATH) GOPATH = $(shell go env GOPATH)
...@@ -89,6 +90,9 @@ lib/%.a: $(PKGFILES) ...@@ -89,6 +90,9 @@ lib/%.a: $(PKGFILES)
@XBUILD=no ./gui/build.sh --just-golib @XBUILD=no ./gui/build.sh --just-golib
relink_vendor: relink_vendor:
ifeq ($(PLATFORM), windows)
rm -rf providers/assets
endif
ifeq ($(VENDOR_PATH), providers) ifeq ($(VENDOR_PATH), providers)
@unlink providers/assets || true @unlink providers/assets || true
@ln -s ${PROVIDER}/assets providers/assets @ln -s ${PROVIDER}/assets providers/assets
...@@ -110,7 +114,30 @@ build_helper: ...@@ -110,7 +114,30 @@ build_helper:
build_openvpn: build_openvpn:
@[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh @[ -f $(OPENVPN_BIN) ] && echo "OpenVPN already built at" $(OPENVPN_BIN) || ./branding/thirdparty/openvpn/build_openvpn.sh
installer: check_qtifw build_openvpn build dosign:
ifeq (${PLATFORM}, windows)
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-file-version ${VERSION}
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-product-version ${VERSION}
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string CompanyName "LEAP Encryption Access Project"
"c:\windows\system32\rcedit.exe" ${QTBUILD}/release/${TARGET}.exe --set-version-string FileDescription "VPN Application provided by ${PROVIDER}"
"c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} ${QTBUILD}/release/${TARGET}.exe
cp build/bin/${PLATFORM}/bitmask-helper build/bin/${PLATFORM}/bitmask-helper.exe
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-file-version ${VERSION}
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-product-version ${VERSION}
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string ProductName "bitmask-helper-v2"
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string CompanyName "LEAP Encryption Access Project"
"c:\windows\system32\rcedit.exe" build/bin/${PLATFORM}/bitmask-helper.exe --set-version-string FileDescription "Administrative helper for ${TARGET}"
"c:\windows\system32\signtool.exe" sign -debug -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/bin/${PLATFORM}/bitmask-helper.exe
endif
checksign:
ifeq (${PLATFORM}, windows)
@"c:\windows\system32\sigcheck.exe" ${QTBUILD}/release/${TARGET}.exe
@"c:\windows\system32\sigcheck.exe" build/bin/${PLATFORM}/bitmask-helper.exe
@"c:\windows\system32\sigcheck.exe" "/c/Program Files/OpenVPN/bin/openvpn.exe"
endif
installer: check_qtifw checksign
@mkdir -p ${INST_DATA} @mkdir -p ${INST_DATA}
@cp -r ${TEMPLATES}/qtinstaller/packages ${INSTALLER} @cp -r ${TEMPLATES}/qtinstaller/packages ${INSTALLER}
@cp -r ${TEMPLATES}/qtinstaller/installer.pro ${INSTALLER} @cp -r ${TEMPLATES}/qtinstaller/installer.pro ${INSTALLER}
...@@ -132,7 +159,7 @@ ifeq (${PLATFORM}, darwin) ...@@ -132,7 +159,7 @@ ifeq (${PLATFORM}, darwin)
endif endif
ifeq (${PLATFORM}, windows) ifeq (${PLATFORM}, windows)
@VERSION=${VERSION} VENDOR_PATH=${VENDOR_PATH} ${SCRIPTS}/gen-qtinstaller windows ${INSTALLER} @VERSION=${VERSION} VENDOR_PATH=${VENDOR_PATH} ${SCRIPTS}/gen-qtinstaller windows ${INSTALLER}
@cp build/bin/${PLATFORM}/bitmask-helper ${INST_DATA}helper.exe @cp build/bin/${PLATFORM}/bitmask-helper.exe ${INST_DATA}helper.exe
ifeq (${VENDOR_PATH}, providers) ifeq (${VENDOR_PATH}, providers)
@cp ${VENDOR_PATH}/${PROVIDER}/assets/icon.ico ${INST_DATA}/icon.ico @cp ${VENDOR_PATH}/${PROVIDER}/assets/icon.ico ${INST_DATA}/icon.ico
else else
...@@ -142,8 +169,8 @@ endif ...@@ -142,8 +169,8 @@ endif
# FIXME get the signed binaries with curl from openvpn downloads page - see if we have to adapt the openvpn-build to install tap drivers etc from our installer. # FIXME get the signed binaries with curl from openvpn downloads page - see if we have to adapt the openvpn-build to install tap drivers etc from our installer.
@cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA} @cp "/c/Program Files/OpenVPN/bin/openvpn.exe" ${INST_DATA}
@cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA} @cp "/c/Program Files/OpenVPN/bin/"*.dll ${INST_DATA}
# FIXME add sign options
@windeployqt --qmldir gui/qml ${INST_DATA}${TARGET}.exe @windeployqt --qmldir gui/qml ${INST_DATA}${TARGET}.exe
#@windeployqt --release --qmldir gui/qml ${INST_DATA}${TARGET}.exe
# TODO stage it to shave some time # TODO stage it to shave some time
@wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe @wget ${TAP_WINDOWS} -O ${INST_DATA}/tap-windows.exe
endif endif
...@@ -154,6 +181,12 @@ endif ...@@ -154,6 +181,12 @@ endif
@echo "[+] Now building the installer." @echo "[+] Now building the installer."
@cd build/installer && qmake VENDOR_PATH=${VENDOR_PATH} INSTALLER=${APPNAME}-installer-${VERSION} && make @cd build/installer && qmake VENDOR_PATH=${VENDOR_PATH} INSTALLER=${APPNAME}-installer-${VERSION} && make
sign_installer:
ifeq (${PLATFORM}, windows)
# TODO add flag to skip signing for regular builds
"c:\windows\system32\signtool.exe" sign -f "z:\leap\LEAP.pfx" -p ${WINCERTPASS} build/installer/${APPNAME}-installer-${VERSION}.exe
endif
check_qtifw: check_qtifw:
ifdef HAS_QTIFW ifdef HAS_QTIFW
@echo "[+] Found QTIFW" @echo "[+] Found QTIFW"
......
branding/templates/windows/sign.py deleted 100644 → 0
+ 0
21
View file @ bfd3419b
#!/usr/bin/env python3
"""
This script is expected to be called from the main makefile, that should pass
the content of the WIN_CERT_PASS variable as the second argument.
"""
import subprocess
import os
import sys
WIN_CERT_PATH = sys.argv[1]
WIN_CERT_PASS = sys.argv[2]
SIGNTOOL = "signtool"
VERSION = subprocess.run(
'git describe --tags',
stdout=subprocess.PIPE).stdout.strip()
installer = "RiseupVPN-" + str(VERSION, 'utf-8') + '.exe'
target = str(os.path.join(os.path.abspath('.'), 'dist', installer))
cmd = [SIGNTOOL, "sign", "/f", WIN_CERT_PATH, "/p", WIN_CERT_PASS, target]
subprocess.run(cmd)
docs/build.windows.rst
+ 33
0
View file @ 3dc345bc
...@@ -15,3 +15,36 @@ Assuming you have the vendor path in place and correctly configured, all you nee ...@@ -15,3 +15,36 @@ Assuming you have the vendor path in place and correctly configured, all you nee
export PATH="/c/Qt/Qt5/bin/":"/c/Qt/QtIFW-3.2.2/bin":$PATH export PATH="/c/Qt/Qt5/bin/":"/c/Qt/QtIFW-3.2.2/bin":$PATH
export VENDOR_PATH=providers export VENDOR_PATH=providers
make vendor && make installer make vendor && make installer
checking signatures
-------------------
we should be signing all binaries on a release build.
to check the binaries have proper signatures, you can use the sigcheck
utilities, part of the sysinternals suite:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
unzip and place sigcheck.exe somewhere in your path.
make sure to pass -accepteula parameter on some manual run so that it does not
ask again.
adding metadata to binaries
---------------------------
TODO: add metadata properly
https://github.com/electron/rcedit/releases/tag/v1.1.1
https://stackoverflow.com/questions/284258/how-do-i-set-the-version-information-for-an-existing-exe-dll
the steps to do release signatures are::
make build
make dosign
make installer
make sign_installer
unreviewed notes
----------------
see comment about patching dlls and windeployqt not being needed anymore https://stackoverflow.com/a/61910592
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment