Gitian windows signing normalization #6354

pull theuni wants to merge 2 commits into bitcoin:master from theuni:gitian-winsign-normalize changing 3 files +27 −20
  1. theuni commented at 8:40 PM on June 29, 2015: member

    Sorry for yet another PR here. This one includes @michagogo's suggestions and doc changes. It replaces #6343 and #6342.

    Teach gitian to output a -win-unsigned.tar.gz similar to OSX. The signer will attempt to combine any "-unsigned.exe" with a matching "*-unsigned.exe.pem" from the detatched signature repo.

    Also note that the new target signature dir for windows has changed from "${VERSION}-win" to "${VERSION}-win-unsigned".

    Tested with a phony tag and signature.

    Safe for backport, should be good to go for rc3.

  2. theuni force-pushed on Jun 29, 2015
  3. Michagogo commented at 5:55 AM on June 30, 2015: contributor

    Minor nit: NSIS shouldn't output installers with unsigned in the name. Unless I'm misunderstanding, the .dmg that the (non-gitian) build process for OS X outputs doesn't contain that in the name, and that's a good thing. The {un,}signed only makes sense in the context of the gitian process, so gitian should include it in output file names, but the normal build process (e.g. if you're building yourself) shouldn't.

  4. laanwj added the label Build system on Jun 30, 2015
  5. laanwj added this to the milestone 0.11.0 on Jun 30, 2015
  6. laanwj commented at 10:36 AM on June 30, 2015: member

    Thanks! @michagogo That comment sounds sensible to me.

  7. theuni commented at 2:40 PM on June 30, 2015: member

    Ok, I'll revert that and change the name in the win descriptor instead.

  8. gitian: make the windows signing process match OSX a3ba9a553a
  9. Michagogo commented at 3:11 PM on June 30, 2015: contributor

    There's still the difference in where the tools for the signature application are built... It seems weird to have to manually download those files when we already have a process for fetching and building things that we need for the build process, which is used for OS X. And there's also the fact that the OS X tarball is a full package of everything you need to apply the signature, while Windows is just the installer binaries.

  10. Michagogo commented at 3:15 PM on June 30, 2015: contributor

    Oh, and are the process and tools for creating the detached signature (the commands/script to perform the signing and detach the signature) in the repo somewhere? They are in OS X (contrib/macdeploy/detached-sig-create.sh).

  11. Ideal release process for Windows detached signing
    This is an ideal version of what the release process should look like,
making it more consistent with the OS X process. Some of the changes
described here would need to be made in the descriptors, which is somewhat
beyond what I would feel comfortable doing, not really understanding the signature process in depth.

[skip ci]
    6e849b8309
  12. theuni force-pushed on Jun 30, 2015
  13. laanwj commented at 3:26 PM on June 30, 2015: member

    @Michagogo Manually download which files? The idea is to distribute the Windows and OSX signatures in the same way, through the bitcoin-detached-sigs repository.

    If you mean the osslsigncode-1.7.1.tar.gz I certainly don't think they should be part of the signature, nor automatically downloaded by depends. They are not required for the build, just for signing. It was your own argument to make the split between building and gitian clearer.

  14. theuni commented at 3:27 PM on June 30, 2015: member

    Updated as suggested. @Michagogo All of those differences come from the fact that building the osx attacher is a nasty, complicated process, while the Linux attacher is a simple tool. Since signing is only used during the gitian/release process, I don't see any point in adding osslsigntool to depends.

  15. laanwj commented at 3:28 PM on June 30, 2015: member

    utACK

  16. theuni commented at 3:31 PM on June 30, 2015: member

    @Michagogo as for instructions for signing and maybe a wrapper around osslsigntool to make it foolproof, that's a reasonable suggestion. I'll add that soonish. Not a blocker here, though.

  17. Michagogo commented at 3:36 PM on June 30, 2015: contributor

    I assume you mean the Windows attacher. Okay, I guess that makes sense. As mentioned in IRC recently, it's considered a good practice to also sign the binaries inside the installer, but that's also not worth delaying this (and rc3) for, since on Windows the place where it's actually user-facing is the UAC prompt on installation, as opposed to on Macs where the actual binary that runs needs to be signed. BTW, do we also timestamp?

  18. theuni commented at 3:43 PM on June 30, 2015: member

    Yes

  19. laanwj merged this on Jun 30, 2015
  20. laanwj closed this on Jun 30, 2015
  21. laanwj referenced this in commit da77a6f761 on Jun 30, 2015
  22. laanwj referenced this in commit bdf0d94d45 on Jun 30, 2015
  23. laanwj referenced this in commit bad1e8b358 on Jun 30, 2015
  24. laanwj commented at 4:15 PM on June 30, 2015: member

    backported to 0.11 as via bdf0d94 bad1e8b

  25. theuni commented at 4:22 PM on June 30, 2015: member

    @Michagogo here's a quick go at a signing script that matches the current process. Note that the modified osslsigncode is needed for the "-pem" option.

    #!/bin/sh
set -e

TIMESTAMP_URL=http://timestamp.comodoca.com/authenticode

if [ ! -n "$1" ]; then
  echo "usage: $0 <extra osslsigncode args>"
  echo "example: $0 -pkcs12 /path/to/keys.p12 -pass mypass"
  exit 1
fi

if [ -z ${OSSLSIGNCODE} ]; then
  OSSLSIGNCODE=osslsigncode
fi

find . -name "*-unsigned.exe" | while read i; do
  echo "Signing: ${i}"
  INFILE="`basename "${i}"`"
  OUTFILE="`echo "${INFILE}".temp`"
  SIG="`echo "${INFILE}".pem`"
  ${OSSLSIGNCODE} sign "$@" -t ${TIMESTAMP_URL} -in "${INFILE}" -out "${OUTFILE}"
  ${OSSLSIGNCODE} extract-signature -pem -in "${OUTFILE}" -out "${SIG}"
  rm "${OUTFILE}"
done
  26. Michagogo commented at 4:25 PM on June 30, 2015: contributor

    You probably want to quote the ${OSSLSIGNCODE} -- I've had issues with [ -z ] not returning what would be expected, while [ -z "" ] did work.

  27. theuni deleted the branch on Jun 30, 2015
  28. laanwj commented at 4:35 AM on July 1, 2015: member

    I noticed while signing 0.11.0rc3: The output of the windows signer has the versioned names bitcoin-0.11.0-win32-setup.exe and bitcoin-0.11.0-win64-setup.exe, whereas the osx signer produces bitcoin-osx-signed.dmg.

    Let's do the same for the latter e.g. remove the -signed, add the version, so bitcoin-0.11.0-osx.dmg.

    The new process works great apart from that.

  29. MarcoFalke locked this on Sep 8, 2021
Contributors
theuniMichagogolaanwj
Labels
Build system

Milestone
0.11.0

Linked (view graph)
#6342 Improve release process for the Windows detached sig process#6343 Win signed cleanup ideal
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-18 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me