[PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Jon Turney
jon.turney@dronecode.org.uk
Tue Dec 13 14:36:00 GMT 2016
On 12/12/2016 17:30, Corinna Vinschen wrote:
> Hi Jon,
>
> On Dec 12 13:29, Jon Turney wrote:
>> As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
>>
>> This is quite straightforward, but unfortunately, requires a non-technical
>> problem to be solved to complete.
>>
>> 1/ A code signing certificate signed by a CA is required.
>
> Where do we get one which is trusted, can be checked publically,
> and doesn't cost any money?
This is a trick question, right? You don't :(
> Who will be keymaster and with whom do we share the private key?
>
>> 2/ The signature should be timestamped, so that it remains vaild after the
>> signing key expires, but I assume you have to use the timestamp service of
>> the CA that signed the key.
This is more saying that we should use osslsigncode's -t option, but I
don't quite know how.
Looking at this again, all the examples I find use a certain CA's
timestamp service, so I think perhaps my assumption is wrong.
> Not necessarily. We can workaround that by getting a new key and
> release a new setup.
>
>> +sign: upx
>> + @if [ -e `which osslsigncode` ]; then \
>> + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
> ^^^^^^^^^
> $(srcdir)?
>
> This might not be quite right. We need to store the cert in a reasonable
> safe place, certainly not in srcdir (or git).
Yes, this could be done better.
I added these filesname to .gitignore to make sure they didn't end up in
the git repo :)
More information about the Cygwin-apps
mailing list