[PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)

Jon Turney jon.turney@dronecode.org.uk
Tue Dec 13 14:36:00 GMT 2016


On 12/12/2016 17:30, Corinna Vinschen wrote:
> Hi Jon,
>
> On Dec 12 13:29, Jon Turney wrote:
>> As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
>>
>> This is quite straightforward, but unfortunately, requires a non-technical
>> problem to be solved to complete.
>>
>> 1/ A code signing certificate signed by a CA is required.
>
> Where do we get one which is trusted, can be checked publically,
> and doesn't cost any money?

This is a trick question,  right?  You don't :(

> Who will be keymaster and with whom do we share the private key?
>
>> 2/ The signature should be timestamped, so that it remains vaild after the
>> signing key expires, but I assume you have to use the timestamp service of
>> the CA that signed the key.

This is more saying that we should use osslsigncode's -t option, but I 
don't quite know how.

Looking at this again, all the examples I find use a certain CA's 
timestamp service, so I think perhaps my assumption is wrong.

> Not necessarily.  We can workaround that by getting a new key and
> release a new setup.
>
>> +sign:	upx
>> +	@if [ -e `which osslsigncode` ]; then \
>> +		osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
>                                          ^^^^^^^^^
>                                          $(srcdir)?
>
> This might not be quite right.  We need to store the cert in a reasonable
> safe place, certainly not in srcdir (or git).

Yes, this could be done better.

I added these filesname to .gitignore to make sure they didn't end up in 
the git repo :)



More information about the Cygwin-apps mailing list