gitian: add a gitian-win-signer descriptor #6303

pull theuni wants to merge 1 commits into bitcoin:master from theuni:gitian-win-signer changing 2 files +54 −12
  1. theuni commented at 10:38 PM on June 18, 2015: member

    This makes Windows signing match the current OSX signing process.

    osslsigncode has been patched to detach and re-attach Windows signatures. The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature

    There's a pull-request open upstream for the changes: https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/

    This work has been back-ported to the stable 1.7.1 release of osslsigncode, so that a smaller patch can be reviewed. Hopefully we'll get the changes merged upstream for the next release so that we can drop the patches here.

    For reference, I've pushed the detached sigs that would've been used for 0.11.0rc2 here: https://github.com/bitcoin/bitcoin-detached-sigs/commit/329d2e8f0af8d71300c75c007fe4f384b4df12b1

    For a test, I created a phony tag in my local bitcoin-detached-sigs repository and re-attached the 0.11.0rc2 .exe's from the detached sigs here: https://github.com/bitcoin/bitcoin-detached-sigs/commit/329d2e8f0af8d71300c75c007fe4f384b4df12b1. No surprise, they matched our release binaries.

    If desired, this should be safe to use for 0.11.0-rc3.

  2. gitian: add a gitian-win-signer descriptor
    This is exactly like the current OSX signing process.

osslsigncode has been patched to detach and re-attach Windows signatures.
The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature

There's a pull-request open upstream for the changes:
https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/

This work has been back-ported to the stable 1.7.1 release of osslsigncode, so
that a smaller patch can be reviewed.
    d08cfc2bd7
  3. theuni commented at 12:20 AM on June 19, 2015: member

    ping @jonasschnelli. Looks like the new setban/listbanned stuff introduced a race somewhere.

  4. theuni commented at 12:41 AM on June 19, 2015: member

    @jonasschnelli CNode::ClearBanned() doesn't lock, that looks like a good candidate for the issue here.

  5. jonasschnelli commented at 4:56 AM on June 19, 2015: contributor

    @theuni: oh. Thanks for the finding! Will have a look at it.

  6. jonasschnelli commented at 11:53 AM on June 19, 2015: contributor

    @theuni: Fix done. Please check #6307. Thanks.

  7. laanwj commented at 3:26 PM on June 19, 2015: member

    Nice, utACK, will respin travis after #6307 merged

  8. theuni commented at 3:51 PM on June 19, 2015: member

    I probably should've mentioned, this one's much easier to actually test/use than OSX, because it doesn't require crazy toolchain tricks to build.

    You can easily play with it by building from the attach-signature branch of https://github.com/theuni/osslsigncode/. It's just a typical ./configure && make. Then you can take a release .exe and strip off its sig:

    ./osslsigncode extract-signature -pem -in bitcoin-0.11.0rc2-win32-setup.exe -out sig32.pem

    re-attach to the unsigned .exe from gitian:

    ./osslsigncode attach-signature -sigin sig32.pem -in bitcoin-0.11.0-win32-setup.exe -out re-signed.exe

    then verify that re-signed.exe == bitcoin-0.11.0rc2-win32-setup.exe

  9. laanwj commented at 4:18 PM on June 19, 2015: member

    Works for me:

    $ sha256sum bitcoin-0.11.0rc2-win64-setup.exe re-signed.exe 
d2f076a051f3e17f0463e388a4a0a261ba977d66b2efcdd639765f98d03476a3  bitcoin-0.11.0rc2-win64-setup.exe
d2f076a051f3e17f0463e388a4a0a261ba977d66b2efcdd639765f98d03476a3  re-signed.exe
  10. fanquake commented at 4:44 AM on June 21, 2015: member

    Also works for me:

    xxx:osslsigncode $ ./osslsigncode extract-signature -pem -in bitcoin-0.11.0rc2-win32-setup.exe -out sig32.pem
Succeeded
xxx:osslsigncode $ ./osslsigncode attach-signature -sigin sig32.pem -in bitcoin-0.11.0-win32-setup.exe -out re-signed.exe
Current PE checksum   : 00BA7F5F
Calculated PE checksum: 00BA7F5F

Message digest algorithm  : SHA1
Current message digest    : 056184C31F9A1E67688A628181A254CD220105EA
Calculated message digest : 056184C31F9A1E67688A628181A254CD220105EA

Signature verification: ok

Number of signers: 1
    Signer [#0](/bitcoin-bitcoin/0/):
        Subject: /C=US/postalCode=98104/ST=WA/L=Seattle/street=Ste 300/street=71 Columbia St/O=The Bitcoin Foundation, Inc./CN=The Bitcoin Foundation, Inc.
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
        Serial : 84A31812495BFAA126E4F1CF3E93A111

Number of certificates: 3
    Cert [#0](/bitcoin-bitcoin/0/):
        Subject: /C=US/postalCode=98104/ST=WA/L=Seattle/street=Ste 300/street=71 Columbia St/O=The Bitcoin Foundation, Inc./CN=The Bitcoin Foundation, Inc.
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
        Serial : 84A31812495BFAA126E4F1CF3E93A111
    ------------------
    Cert [#1](/bitcoin-bitcoin/1/):
        Subject: /C=US/postalCode=98104/ST=WA/L=Seattle/street=Ste 300/street=71 Columbia St/O=The Bitcoin Foundation, Inc./CN=The Bitcoin Foundation, Inc.
        Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2
        Serial : 84A31812495BFAA126E4F1CF3E93A111
    ------------------
    Cert [#2](/bitcoin-bitcoin/2/):
        Subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Time Stamping Signer
        Issuer : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object
        Serial : 9FEAC811B0F16247A5FC20D80523ACE6

Signature successfully attached.
xxx:osslsigncode $ shasum -a 256 bitcoin-0.11.0rc2-win32-setup.exe re-signed.exe
46b8bd99b9adcf2def6686e39dd06e1b8c34297ec24f1a45fb21526bba682721  bitcoin-0.11.0rc2-win32-setup.exe
46b8bd99b9adcf2def6686e39dd06e1b8c34297ec24f1a45fb21526bba682721  re-signed.exe
  11. laanwj merged this on Jun 22, 2015
  12. laanwj closed this on Jun 22, 2015
  13. laanwj referenced this in commit b77fbe095f on Jun 22, 2015
  14. laanwj referenced this in commit b7115995d7 on Jun 22, 2015
  15. laanwj commented at 2:20 PM on June 22, 2015: member

    Cherry-picked to 0.11 as b7115995d711ae64fc4a4e5954db7f6130ffee2f

  16. in doc/release-process.md:None in d08cfc2bd7 
      78 | @@ -75,7 +79,7 @@ Release Process
  79 |  
  80 |    1. source tarball (bitcoin-${VERSION}.tar.gz)
  81 |    2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz)
  82 | -  3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
  83 | +  3. windows 32-bit and 64-bit unsigned installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
    Michagogo commented at 4:19 PM on June 25, 2015:

    Unless I'm misreading, you end up with the version not part of the setup filenames, don't you?

    theuni commented at 5:07 PM on June 25, 2015:

    erm, kinda. It spits out files with version in the name, but you move it back into inputs without the version (same as osx). It's done that way so that we don't have to constantly update the gitian descriptor.

    Michagogo commented at 5:09 PM on June 25, 2015:

    Well, yeah, I got that, but the expected output after following this process is that the file is present in inputs, without the version. Now that I look at it, the same discrepancy is present for OS X.

  17. in doc/release-process.md:None in d08cfc2bd7 
      66 | @@ -65,7 +67,9 @@ Release Process
  67 |  	mv build/out/bitcoin-*.tar.gz build/out/src/bitcoin-*.tar.gz ../
  68 |  	./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
  69 |  	./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
    Michagogo commented at 4:20 PM on June 25, 2015:

    Shouldn't this be changed to --release ${VERSION}-win-unsigned to match OS X?

    theuni commented at 5:10 PM on June 25, 2015:

    It could be, but that would require that everyone change their current build procedures. As it is, it's only an additional (optional) build step to attach a sig.

    Changing it to match would be fine by me though if that's what's preferred.

    Michagogo commented at 5:12 PM on June 25, 2015:

    I would think that we would want to do it, just like we changed OS X when we introduced detached signing there. Just seems weird to have parallel processes with different filename formats.

  18. MarcoFalke locked this on Sep 8, 2021
Contributors
theunijonasschnellilaanwjfanquakeMichagogo
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-18 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me