Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: Windows signing script #9514

Merged
merged 3 commits into from
Mar 13, 2017
Merged

Conversation

theuni
Copy link
Member

@theuni theuni commented Jan 11, 2017

A dev came around IRC today asking for help with some of these manual steps, so I figured it would be helpful to go ahead and script it up. This is an ancient todo of mine.

To match the osx signing procedure, pack the needed ingredients into the unsigned tarball. This makes the signing procedure very straightforward.

Additionally, the cert chain has been added so that the signer doesn't provide it, only the private key for the codesigning cert.. Note that the gitian recipe for re-attaching the signature does not actually verify this yet, though.

Also added some quick docs for the procedure.

To ensure that this is the correct chain, it is pulled from a previous release
binary.

Procedure:
$ osslsigncode extract-signature -pem -in bitcoin-0.13.2-win32-setup.exe \
    -out bitcoin-0.13.2-win32-setup.exe.pem
$ openssl pkcs7 -print_certs -in bitcoin-0.13.2-win32-setup.exe.pem \
    -out win-codesign.cert

Hand-edit to remove comments, as well as the timestamp cert.
Also change the mac filename to match

The procedure remains the same, but now there's a nifty script to automate
the signing process.

Future steps:
- Build osslsigncode in the gitian-win descriptor so that the signer itself is
  deterministic.
- Verify in the gitian-win-signer descriptor that the expected cert chain was
  used.
@losh11
Copy link

losh11 commented Jan 11, 2017

👍

@maflcko
Copy link
Member

maflcko commented Jan 11, 2017

Concept ACK 09fe2d9

@laanwj
Copy link
Member

laanwj commented Jan 11, 2017

Concept ACK. Good to automate this!

@fanquake
Copy link
Member

Concept ACK. Planning on testing this shortly.

@laanwj laanwj modified the milestones: 0.14.1, 0.15.0 Mar 9, 2017
@laanwj
Copy link
Member

laanwj commented Mar 9, 2017

Assigning 0.15.0 milestone.

@theuni
Copy link
Member Author

theuni commented Mar 10, 2017

Ah, thanks for the reminder. I used the script/certs to sign all of the 0.14.0 binaries and never heard any complaints. So I'm assuming this is good to go :)

@laanwj
Copy link
Member

laanwj commented Mar 13, 2017

Awesome!
utACK 09fe2d9

@laanwj laanwj merged commit 09fe2d9 into bitcoin:master Mar 13, 2017
laanwj added a commit that referenced this pull request Mar 13, 2017
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Jan 21, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Jan 29, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Feb 26, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Feb 26, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
UdjinM6 pushed a commit to UdjinM6/dash that referenced this pull request Mar 9, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Mar 10, 2019
09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)

Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants