build: use new fork of osslsigncode for windows gitian signing #16669

1. 
   fanquake commented at 11:30 AM on August 20, 2019: member

   The original osslsigncode project, https://sourceforge.net/projects/osslsigncode, has been marked as abandonware:

   This is now - and has been for a long while - abandonware. Feel free to create your own forks etc.".

   However, a fork has emerged, https://github.com/mtrojnar/osslsigncode, that has incorporated theuni's patches (add the -pem option in extract-signature mode & add the attach-signature command) as well as updated the tool to work with OpenSSL 1.1 and other improvements.

   This commit switches the windows signer descriptor to use this new version of osslsigncode.

   I've tested using this new version of osslsigncode while doing a 0.18.1 gitian build, and it "seems" to work. However this needs a look over from Cory, to check if the tool is still compatible with his usage in the detached-sig-create.sh script, as well as some review of the changes to osslsigncode itself. Hence WIP and chasing Concept ACKs / NACKs.

2. fanquake added the label Build system on Aug 20, 2019
3. fanquake added the label Needs gitian build on Aug 20, 2019
4. fanquake added the label Needs Conceptual Review on Aug 20, 2019
5. fanquake requested review from theuni on Aug 20, 2019
6. 
   emilengler commented at 2:31 PM on August 20, 2019: contributor

   I like the idea, I'm not a fan of using abandonware, it could include security issues which shouldn't happen to release builds.

7. 
   theuni commented at 9:30 PM on August 20, 2019: member

   Concept ACK. Agree that we want to be using a maintained version.

   Have any distro's switched to this fork?

   As @fanquake said, we'll obviously need to double-check that it doesn't break our current usage. We should also do a quick audit that it doesn't steal keys, since it uses the net for a timestamp.

8. 
   fanquake commented at 12:35 AM on August 21, 2019: member

   Have any distro's switched to this fork?

   Ubuntu Disco (19.04) - https://packages.ubuntu.com/disco/osslsigncode Debian Buster (10.0) - https://packages.debian.org/buster/osslsigncode

9. DrahtBot removed the label Needs gitian build on Aug 21, 2019
10. 
    DrahtBot commented at 5:43 AM on August 24, 2019: member

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    No conflicts as of last run.

11. 
    laanwj commented at 11:50 AM on September 16, 2019: member

    Concept ACK

12. fanquake force-pushed on Sep 23, 2019
13. in contrib/gitian-descriptors/gitian-win-signer.yml:9 in e3ba92f19d outdated

       5 | @@ -6,15 +6,15 @@ suites:
       6 |  architectures:
       7 |  - "amd64"
       8 |  packages:
       9 | -# Once osslsigncode supports openssl 1.1, we can change this back to libssl-dev
    

    ---

    ---

    

    theuni commented at 2:40 PM on October 11, 2019:

    I actually think we should prefer being specific here, so that we know at a glance what version we're using. I assume there's a libssl1.1-dev as well?

    ---

    

    fanquake commented at 3:45 PM on October 11, 2019:

    I agree that more specific would be preferred, however from what I can see, it doesn't look like it. In a ubuntu:bionic container:

    apt search libssl
    libssl-dev/bionic-updates,bionic-security,now 1.1.1-1ubuntu2.1~18.04.4 amd64 [installed]
    libssl1.0-dev/bionic-updates,bionic-security 1.0.2n-1ubuntu5.3 amd64
    libssl1.0.0/bionic-updates,bionic-security,now 1.0.2n-1ubuntu5.3 amd64 [residual-config]
    libssl1.1/bionic-updates,bionic-security,now 1.1.1-1ubuntu2.1~18.04.4 amd64
    

    So no libssl1.1-dev package, only lib1.0-dev or libssl-dev (which is at 1.1.1).

    ---

    

    laanwj commented at 7:09 PM on October 21, 2019:

    this makes sense, debian tends to only have versioned -dev packages when supporting an old version

14. in contrib/gitian-descriptors/gitian-win-signer.yml:34 in e3ba92f19d outdated

      34 | -  cd osslsigncode-1.7.1
      35 | -  patch -p1 < ${BUILD_DIR}/osslsigncode-Backports-to-1.7.1.patch
      36 | +  tar xf osslsigncode-2.0.tar.gz
      37 | +  cd osslsigncode-2.0
      38 |  
      39 | +  ./autogen.sh
    

    ---

    ---

    

    theuni commented at 2:41 PM on October 11, 2019:

    TODO: report to upstream that their release tarball isn't bootstrapped.

15. 
    theuni commented at 2:43 PM on October 11, 2019: member

    Concept ACK. This PR actually came in really handy when signing the recent releases, as I ran into the compatibility issues.

16. fanquake force-pushed on Oct 11, 2019
17. 
    laanwj commented at 7:10 PM on October 21, 2019: member

    Concept ACK. This PR actually came in really handy when signing the recent releases, as I ran into the compatibility issues.

    Looks like this can go out of draft status then?

18. build: use osslsigncode 2.0 in gitian

    The original osslsigncode project (https://sourceforge.net/projects/osslsigncode/) has been marked as abandonware,
    "This is now - and has been for a long while - abandonware. Feel free to create your own forks etc.".
    
    However, a fork at https://github.com/mtrojnar/osslsigncode has emerged that has incorporated
    theuni's patches, updated the tool to work with OpenSSL 1.1 and made other improvements.
    
    This commit switches the windows signer descriptor to use this new version of osslsigncode.

    feb5075777
19. fanquake renamed this:
    [WIP] build: use new fork of osslsigncode for windows gitian signing
    build: use new fork of osslsigncode for windows gitian signing
    on Oct 22, 2019
20. fanquake force-pushed on Oct 22, 2019
21. fanquake marked this as ready for review on Oct 22, 2019
22. 
    fanquake commented at 12:33 AM on October 22, 2019: member

    Looks like this can go out of draft status then?

    Rebased and removed [WIP].

23. MarcoFalke added the label Windows on Oct 22, 2019
24. MarcoFalke deleted a comment on Oct 22, 2019
25. fanquake removed the label Needs Conceptual Review on Oct 28, 2019
26. laanwj added this to the milestone 0.20.0 on Oct 30, 2019
27. 
    MarcoFalke commented at 6:43 PM on November 12, 2019: member

    Concept ACK feb507577797518d0bee1774327d215e19d1ba34 given that this upstream is now used in Ubuntu and Debian

28. 
    laanwj commented at 1:38 PM on November 18, 2019: member

    ACK feb507577797518d0bee1774327d215e19d1ba34

29. laanwj referenced this in commit 6fde676f64 on Nov 18, 2019
30. laanwj merged this on Nov 18, 2019
31. laanwj closed this on Nov 18, 2019

    ---

32. fanquake deleted the branch on Nov 18, 2019
33. sidhujag referenced this in commit 63bc3602c2 on Nov 18, 2019
34. UdjinM6 referenced this in commit 7f8b8b31e4 on Jan 1, 2020
35. UdjinM6 referenced this in commit cbf9c54a1d on Jan 10, 2020
36. barrystyle referenced this in commit b302a7d97a on Jan 22, 2020
37. MarkLTZ referenced this in commit 71bc1598ab on Apr 10, 2020
38. sidhujag referenced this in commit ea705a93e0 on Nov 10, 2020
39. random-zebra referenced this in commit 41064cf016 on Mar 4, 2021
40. ckti referenced this in commit 8acba9e7d9 on Mar 28, 2021
41. ckti referenced this in commit 531822330a on Mar 28, 2021
42. DrahtBot locked this on Dec 16, 2021

Contributors

fanquakeemilenglertheuniDrahtBotlaanwjMarcoFalke

Milestone
0.20.0