changeset
Sign all the win32 binaries with GPG (in addition to the authenticode signing for the executables)
Tue, 02 Oct 2012 00:15:25 -0400
- author
- Daniel Atallah <datallah@pidgin.im>
- date
- Tue, 02 Oct 2012 00:15:25 -0400
- branch
- release-2.x.y
- changeset 33417
- 156f37832487
- parent 33416
- c259c9a6d184
- child 33418
- a711c88ce448
Sign all the win32 binaries with GPG (in addition to the authenticode signing for the executables)
* This is potentially unnecessary for the installers that are authenticode signed,
but it's at least needed for the other stuff, so i think it's worthwhile to be
consistent.
--- a/.hgignore Tue Oct 02 00:15:25 2012 -0400 +++ b/.hgignore Tue Oct 02 00:15:25 2012 -0400 @@ -9,6 +9,7 @@ .*/perl/common/pm_to_blib$ .*~$ .*\.a$ +.*\.asc$ .*\.bak$ .*\.bs$ .*\.def$
--- a/Makefile.mingw Tue Oct 02 00:15:25 2012 -0400 +++ b/Makefile.mingw Tue Oct 02 00:15:25 2012 -0400 @@ -33,6 +33,15 @@ GTK_INSTALL_VERSION = 2.16.6.1 +authenticode_sign = $(MONO_SIGNCODE) \ + -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \ + -a sha1 -$$ commercial \ + -n "$(2)" -i "https://pidgin.im" \ + -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \ + $(1) + +gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc + STRIPPED_RELEASE_DIR = $(PIDGIN_TREE_TOP)/pidgin-$(PIDGIN_VERSION)-win32bin DEBUG_SYMBOLS_DIR = $(PIDGIN_TREE_TOP)/pidgin-$(PIDGIN_VERSION)-dbgsym @@ -78,7 +87,7 @@ include $(PIDGIN_COMMON_RULES) -.PHONY: all docs install installer installer_offline installer_zip debug_symbols_zip installers clean uninstall create_release_install_dir generate_installer_includes $(PIDGIN_REVISION_H) $(PIDGIN_REVISION_RAW_TXT) +.PHONY: all docs install installer installer_offline installer_zip debug_symbols_zip installers clean uninstall create_release_install_dir generate_installer_includes $(PIDGIN_REVISION_H) $(PIDGIN_REVISION_RAW_TXT) gtk_runtime_zip all: $(PIDGIN_CONFIG_H) $(PIDGIN_REVISION_H) $(MAKE) -C $(PURPLE_TOP) -f $(MINGW_MAKEFILE) @@ -102,10 +111,10 @@ cp $(WIN32_DEV_TOP)/pidgin-inst-deps-20100315/exchndl.dll $(PIDGIN_INSTALL_DIR) cp $(GCC_SSP_TOP)/bin/libssp-0.dll $(PIDGIN_INSTALL_DIR) -pidgin/win32/nsis/gtk-runtime-$(GTK_INSTALL_VERSION).zip: - pidgin/win32/nsis/generate_gtk_zip.sh `pwd` +gtk_runtime_zip: + pidgin/win32/nsis/generate_gtk_zip.sh "`pwd`" "$(GPG_SIGN)" -generate_installer_includes: create_release_install_dir pidgin/win32/nsis/gtk-runtime-$(GTK_INSTALL_VERSION).zip debug_symbols_zip $(PIDGIN_TREE_TOP)/pidgin/win32/nsis/nsis_translations.desktop +generate_installer_includes: create_release_install_dir gtk_runtime_zip debug_symbols_zip $(PIDGIN_TREE_TOP)/pidgin/win32/nsis/nsis_translations.desktop rm -f pidgin/win32/nsis/pidgin-translations.nsh pidgin/win32/nsis/pidgin-spellcheck.nsh pidgin/win32/nsis/pidgin-spellcheck-preselect.nsh find $(STRIPPED_RELEASE_DIR)/locale -maxdepth 1 -mindepth 1 \ -exec basename {} ';' \ @@ -139,12 +148,7 @@ find $(STRIPPED_RELEASE_DIR) \( -name '*.dll' -o -name '*.exe' \) \ -not \( -false $(EXTERNAL_DLLS_FIND_EXP) \) \ -exec $(STRIP) --strip-unneeded {} ';' - $(MONO_SIGNCODE) \ - -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \ - -a sha1 -$$ commercial \ - -n "Pidgin $(PIDGIN_VERSION)" -i "https://pidgin.im" \ - -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \ - $(STRIPPED_RELEASE_DIR)/pidgin.exe + $(call authenticode_sign, $(STRIPPED_RELEASE_DIR)/pidgin.exe, "Pidgin $(PIDGIN_VERSION)") installer: generate_installer_includes $(eval $@_DEBUG_SYMBOLS_SHA1SUM := $(shell sha1sum $(DEBUG_SYMBOLS_DIR).zip | sed -e "s/\ .*$$//")) @@ -153,30 +157,23 @@ -DPIDGIN_INSTALL_DIR="$(STRIPPED_RELEASE_DIR)" -DGTK_INSTALL_VERSION="$(GTK_INSTALL_VERSION)" \ -DDEBUG_SYMBOLS_SHA1SUM="$($@_DEBUG_SYMBOLS_SHA1SUM)" -DGTK_SHA1SUM="$($@_GTK_SHA1SUM)"\ pidgin/win32/nsis/pidgin-installer.nsi - $(MONO_SIGNCODE) \ - -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \ - -a sha1 -$$ commercial \ - -n "Pidgin Installer" -i "https://pidgin.im" \ - -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \ - pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe + $(call authenticode_sign, pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe, "Pidgin Installer") mv pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe ./ + $(call gpg_sign, pidgin-$(PIDGIN_VERSION).exe) installer_offline: generate_installer_includes $(MAKENSIS) -V3 -DPIDGIN_VERSION="$(PIDGIN_VERSION)" -DPIDGIN_PRODUCT_VERSION="$(PIDGIN_PRODUCT_VERSION)" \ -DPIDGIN_INSTALL_DIR="$(STRIPPED_RELEASE_DIR)" -DGTK_INSTALL_VERSION="$(GTK_INSTALL_VERSION)" \ -DOFFLINE_INSTALLER \ pidgin/win32/nsis/pidgin-installer.nsi - $(MONO_SIGNCODE) \ - -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \ - -a sha1 -$$ commercial \ - -n "Pidgin Installer" -i "https://pidgin.im" \ - -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \ - pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe + $(call authenticode_sign, pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe, "Pidgin Installer") mv pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe ./ + $(call gpg_sign, pidgin-$(PIDGIN_VERSION)-offline.exe) installer_zip: create_release_install_dir rm -f pidgin-$(PIDGIN_VERSION)-win32-bin.zip zip -9 -r pidgin-$(PIDGIN_VERSION)-win32-bin.zip $(STRIPPED_RELEASE_DIR) + $(call gpg_sign, pidgin-$(PIDGIN_VERSION)-win32-bin.zip) debug_symbols_zip: install rm -rf $(DEBUG_SYMBOLS_DIR) $(DEBUG_SYMBOLS_DIR).zip @@ -185,6 +182,7 @@ -not \( -false $(EXTERNAL_DLLS_FIND_EXP) \) -print` \ | tar --strip 2 --xform s/$$/.dbgsym/ -xC $(DEBUG_SYMBOLS_DIR) -f - zip -9 -r $(DEBUG_SYMBOLS_DIR).zip $(DEBUG_SYMBOLS_DIR) + $(call gpg_sign, $(DEBUG_SYMBOLS_DIR).zip) installers: installer installer_offline debug_symbols_zip installer_zip
--- a/libpurple/win32/global.mak Tue Oct 02 00:15:25 2012 -0400 +++ b/libpurple/win32/global.mak Tue Oct 02 00:15:25 2012 -0400 @@ -110,6 +110,7 @@ STRIP ?= strip INTLTOOL_MERGE ?= $(WIN32_DEV_TOP)/intltool_0.40.4-1_win32/bin/intltool-merge MONO_SIGNCODE ?= signcode +GPG_SIGN ?= gpg PIDGIN_COMMON_RULES := $(PURPLE_TOP)/win32/rules.mak PIDGIN_COMMON_TARGETS := $(PURPLE_TOP)/win32/targets.mak
--- a/pidgin/win32/nsis/generate_gtk_zip.sh Tue Oct 02 00:15:25 2012 -0400 +++ b/pidgin/win32/nsis/generate_gtk_zip.sh Tue Oct 02 00:15:25 2012 -0400 @@ -2,6 +2,7 @@ # Script to generate zip file for GTK+ runtime to be included in Pidgin installer PIDGIN_BASE=$1 +GPG_SIGN=$2 if [ ! -e $PIDGIN_BASE/ChangeLog ]; then echo $(basename $0) must must have the pidgin base dir specified as a parameter. @@ -89,13 +90,14 @@ wget "$URL.asc" || exit 1 fi #Use our own keyring to avoid adding stuff to the main keyring - GPG="gpg -q --keyring $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg" + #This doesn't use $GPG_SIGN because we don't this validation to be bypassed when people are skipping signing output + GPG_BASE="gpg -q --keyring $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg" if [[ ! -e $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg \ - || `$GPG --list-keys "$VALIDATION_VALUE" > /dev/null && echo -n "0"` -ne 0 ]]; then + || `$GPG_BASE --list-keys "$VALIDATION_VALUE" > /dev/null && echo -n "0"` -ne 0 ]]; then touch $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg - $GPG --no-default-keyring --keyserver pgp.mit.edu --recv-key "$VALIDATION_VALUE" || exit 1 + $GPG_BASE --no-default-keyring --keyserver pgp.mit.edu --recv-key "$VALIDATION_VALUE" || exit 1 fi - $GPG --verify "$FILE.asc" || (echo "$FILE failed signature verification"; exit 1) || exit 1 + $GPG_BASE --verify "$FILE.asc" || (echo "$FILE failed signature verification"; exit 1) || exit 1 else echo "Unrecognized validation type of $VALIDATION_TYPE" exit 1 @@ -132,6 +134,7 @@ #Generate zip file to be included in installer rm -f $ZIP_FILE zip -9 -r $ZIP_FILE Gtk +($GPG_SIGN -ab $ZIP_FILE && $GPG_SIGN --verify $ZIP_FILE.asc) || exit 1 exit 0
