release: Windows signing script #9514

pull theuni wants to merge 3 commits into bitcoin:master from theuni:win-signing-script changing 5 files +172 −5
  1. theuni commented at 1:39 AM on January 11, 2017: member

    A dev came around IRC today asking for help with some of these manual steps, so I figured it would be helpful to go ahead and script it up. This is an ancient todo of mine.

    To match the osx signing procedure, pack the needed ingredients into the unsigned tarball. This makes the signing procedure very straightforward.

    Additionally, the cert chain has been added so that the signer doesn't provide it, only the private key for the codesigning cert.. Note that the gitian recipe for re-attaching the signature does not actually verify this yet, though.

    Also added some quick docs for the procedure.

  2. release: add win detached sig creator and our cert chain
    To ensure that this is the correct chain, it is pulled from a previous release
binary.

Procedure:
$ osslsigncode extract-signature -pem -in bitcoin-0.13.2-win32-setup.exe \
    -out bitcoin-0.13.2-win32-setup.exe.pem
$ openssl pkcs7 -print_certs -in bitcoin-0.13.2-win32-setup.exe.pem \
    -out win-codesign.cert

Hand-edit to remove comments, as well as the timestamp cert.
    00683615df
  3. release: create a bundle for the new signing script
    Also change the mac filename to match

The procedure remains the same, but now there's a nifty script to automate
the signing process.

Future steps:
- Build osslsigncode in the gitian-win descriptor so that the signer itself is
  deterministic.
- Verify in the gitian-win-signer descriptor that the expected cert chain was
  used.
    f642753887
  4. release: update docs to show basic codesigning procedure 09fe2d9ec4
  5. fanquake added the label Build system on Jan 11, 2017
  6. fanquake added the label Docs and Output on Jan 11, 2017
  7. losh11 commented at 8:23 AM on January 11, 2017: none

    👍

  8. MarcoFalke commented at 10:18 AM on January 11, 2017: member

    Concept ACK 09fe2d9

  9. laanwj commented at 12:43 PM on January 11, 2017: member

    Concept ACK. Good to automate this!

  10. fanquake commented at 11:54 PM on January 20, 2017: member

    Concept ACK. Planning on testing this shortly.

  11. laanwj added this to the milestone 0.14.1 on Mar 9, 2017
  12. laanwj added this to the milestone 0.15.0 on Mar 9, 2017
  13. laanwj removed this from the milestone 0.14.1 on Mar 9, 2017
  14. laanwj commented at 9:17 AM on March 9, 2017: member

    Assigning 0.15.0 milestone.

  15. theuni commented at 9:56 PM on March 10, 2017: member

    Ah, thanks for the reminder. I used the script/certs to sign all of the 0.14.0 binaries and never heard any complaints. So I'm assuming this is good to go :)

  17. laanwj merged this on Mar 13, 2017
  18. laanwj closed this on Mar 13, 2017
  19. laanwj referenced this in commit 2cc0df1fce on Mar 13, 2017
  20. PastaPastaPasta referenced this in commit 66db50dd49 on Jan 2, 2019
  21. PastaPastaPasta referenced this in commit f841d43841 on Jan 2, 2019
  22. PastaPastaPasta referenced this in commit 395ee5f670 on Jan 2, 2019
  23. PastaPastaPasta referenced this in commit a948954839 on Jan 3, 2019
  24. PastaPastaPasta referenced this in commit b0c5eeb761 on Jan 21, 2019
  25. PastaPastaPasta referenced this in commit d2fdb31ff5 on Jan 29, 2019
  26. PastaPastaPasta referenced this in commit 584d3aa338 on Feb 26, 2019
  27. PastaPastaPasta referenced this in commit f9a2e4c4fc on Feb 26, 2019
  28. UdjinM6 referenced this in commit 37b336a9d9 on Mar 9, 2019
  29. PastaPastaPasta referenced this in commit 8fda4d6699 on Mar 10, 2019
  30. DrahtBot locked this on Sep 8, 2021
Contributors
theunilosh11MarcoFalkelaanwjfanquake
Labels
DocsBuild system

Milestone
0.15.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-18 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me