This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
[PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
- From: Jon Turney <jon dot turney at dronecode dot org dot uk>
- To: cygwin-apps at cygwin dot com
- Cc: Jon Turney <jon dot turney at dronecode dot org dot uk>
- Date: Mon, 12 Dec 2016 13:29:29 +0000
- Subject: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
- Authentication-results: sourceware.org; auth=none
- References: <20161212132929.58904-1-jon.turney@dronecode.org.uk>
As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
This is quite straightforward, but unfortunately, requires a non-technical
problem to be solved to complete.
1/ A code signing certificate signed by a CA is required.
2/ The signature should be timestamped, so that it remains vaild after the
signing key expires, but I assume you have to use the timestamp service of
the CA that signed the key.
Signed-off-by: Jon Turney <jon.turney@dronecode.org.uk>
---
.gitignore | 2 ++
Makefile.am | 13 +++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/.gitignore b/.gitignore
index 8b81166..a27cae3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,5 @@ autoconf.h.in*
inilex.cc
iniparse.cc
iniparse.hh
+cygwin.crt
+cygwin.key
diff --git a/Makefile.am b/Makefile.am
index 12ad5ca..5afbb9f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -293,8 +293,8 @@ setup-src:
git ls-files | tar -T - -cJf ${CURDIR}/$$ver-src.tar.xz;\
echo $$ver-src.tar.xz; exec rm -f $$ver
-# optional: strip and compress executable
-.PHONY: strip upx
+# optional: strip, compress and sign executable
+.PHONY: strip upx sign
strip: all
$(OBJCOPY) --add-gnu-debuglink=/dev/null --only-keep-debug setup$(EXEEXT) setup.dbg
@@ -307,3 +307,12 @@ upx: strip
else \
echo "UPX doesn't seem to be installed, cannot compress setup$(EXEEXT)." ;\
fi
+
+sign: upx
+ @if [ -e `which osslsigncode` ]; then \
+ osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
+ chmod +x setup-signed.exe ;\
+ mv setup-signed.exe setup.exe ;\
+ else \
+ echo "osslsigncode not found, cannot sign setup$(EXEEXT)." ;\
+ fi
--
2.8.3