release: Windows signing script #9514
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To ensure that this is the correct chain, it is pulled from a previous release
binary.
Procedure:
$ osslsigncode extract-signature -pem -in bitcoin-0.13.2-win32-setup.exe \
-out bitcoin-0.13.2-win32-setup.exe.pem
$ openssl pkcs7 -print_certs -in bitcoin-0.13.2-win32-setup.exe.pem \
-out win-codesign.cert
Hand-edit to remove comments, as well as the timestamp cert.
Also change the mac filename to match The procedure remains the same, but now there's a nifty script to automate the signing process. Future steps: - Build osslsigncode in the gitian-win descriptor so that the signer itself is deterministic. - Verify in the gitian-win-signer descriptor that the expected cert chain was used.
|
👍 |
Member
|
Concept ACK 09fe2d9 |
Member
|
Concept ACK. Good to automate this! |
Member
|
Concept ACK. Planning on testing this shortly. |
Member
|
Assigning 0.15.0 milestone. |
Member
Author
|
Ah, thanks for the reminder. I used the script/certs to sign all of the 0.14.0 binaries and never heard any complaints. So I'm assuming this is good to go :) |
Member
|
Awesome! |
laanwj
added a commit
that referenced
this pull request
Mar 13, 2017
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Feb 26, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A dev came around IRC today asking for help with some of these manual steps, so I figured it would be helpful to go ahead and script it up. This is an ancient todo of mine.
To match the osx signing procedure, pack the needed ingredients into the unsigned tarball. This makes the signing procedure very straightforward.
Additionally, the cert chain has been added so that the signer doesn't provide it, only the private key for the codesigning cert.. Note that the gitian recipe for re-attaching the signature does not actually verify this yet, though.
Also added some quick docs for the procedure.