/pidgin/main: 156f37832487: Sign all the win32 binaries with GPG...
Daniel Atallah
datallah at pidgin.im
Tue Oct 2 00:16:27 EDT 2012
Changeset: 156f3783248742c30370f26062e87fbdebb69166
Author: Daniel Atallah <datallah at pidgin.im>
Date: 2012-10-02 00:15 -0400
Branch: release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/156f37832487
Description:
Sign all the win32 binaries with GPG (in addition to the authenticode signing for the executables)
* This is potentially unnecessary for the installers that are authenticode signed,
but it's at least needed for the other stuff, so i think it's worthwhile to be
consistent.
diffstat:
.hgignore | 1 +
Makefile.mingw | 42 ++++++++++++++++------------------
libpurple/win32/global.mak | 1 +
pidgin/win32/nsis/generate_gtk_zip.sh | 11 +++++---
4 files changed, 29 insertions(+), 26 deletions(-)
diffs (160 lines):
diff --git a/.hgignore b/.hgignore
--- a/.hgignore
+++ b/.hgignore
@@ -9,6 +9,7 @@ syntax: regexp
.*/perl/common/pm_to_blib$
.*~$
.*\.a$
+.*\.asc$
.*\.bak$
.*\.bs$
.*\.def$
diff --git a/Makefile.mingw b/Makefile.mingw
--- a/Makefile.mingw
+++ b/Makefile.mingw
@@ -33,6 +33,15 @@ awk 'BEGIN {FS="."} { \
GTK_INSTALL_VERSION = 2.16.6.1
+authenticode_sign = $(MONO_SIGNCODE) \
+ -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
+ -a sha1 -$$ commercial \
+ -n "$(2)" -i "https://pidgin.im" \
+ -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
+ $(1)
+
+gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc
+
STRIPPED_RELEASE_DIR = $(PIDGIN_TREE_TOP)/pidgin-$(PIDGIN_VERSION)-win32bin
DEBUG_SYMBOLS_DIR = $(PIDGIN_TREE_TOP)/pidgin-$(PIDGIN_VERSION)-dbgsym
@@ -78,7 +87,7 @@ EXTERNAL_DLLS_FIND_EXP = $(patsubst %,-o
include $(PIDGIN_COMMON_RULES)
-.PHONY: all docs install installer installer_offline installer_zip debug_symbols_zip installers clean uninstall create_release_install_dir generate_installer_includes $(PIDGIN_REVISION_H) $(PIDGIN_REVISION_RAW_TXT)
+.PHONY: all docs install installer installer_offline installer_zip debug_symbols_zip installers clean uninstall create_release_install_dir generate_installer_includes $(PIDGIN_REVISION_H) $(PIDGIN_REVISION_RAW_TXT) gtk_runtime_zip
all: $(PIDGIN_CONFIG_H) $(PIDGIN_REVISION_H)
$(MAKE) -C $(PURPLE_TOP) -f $(MINGW_MAKEFILE)
@@ -102,10 +111,10 @@ endif
cp $(WIN32_DEV_TOP)/pidgin-inst-deps-20100315/exchndl.dll $(PIDGIN_INSTALL_DIR)
cp $(GCC_SSP_TOP)/bin/libssp-0.dll $(PIDGIN_INSTALL_DIR)
-pidgin/win32/nsis/gtk-runtime-$(GTK_INSTALL_VERSION).zip:
- pidgin/win32/nsis/generate_gtk_zip.sh `pwd`
+gtk_runtime_zip:
+ pidgin/win32/nsis/generate_gtk_zip.sh "`pwd`" "$(GPG_SIGN)"
-generate_installer_includes: create_release_install_dir pidgin/win32/nsis/gtk-runtime-$(GTK_INSTALL_VERSION).zip debug_symbols_zip $(PIDGIN_TREE_TOP)/pidgin/win32/nsis/nsis_translations.desktop
+generate_installer_includes: create_release_install_dir gtk_runtime_zip debug_symbols_zip $(PIDGIN_TREE_TOP)/pidgin/win32/nsis/nsis_translations.desktop
rm -f pidgin/win32/nsis/pidgin-translations.nsh pidgin/win32/nsis/pidgin-spellcheck.nsh pidgin/win32/nsis/pidgin-spellcheck-preselect.nsh
find $(STRIPPED_RELEASE_DIR)/locale -maxdepth 1 -mindepth 1 \
-exec basename {} ';' \
@@ -139,12 +148,7 @@ create_release_install_dir: install
find $(STRIPPED_RELEASE_DIR) \( -name '*.dll' -o -name '*.exe' \) \
-not \( -false $(EXTERNAL_DLLS_FIND_EXP) \) \
-exec $(STRIP) --strip-unneeded {} ';'
- $(MONO_SIGNCODE) \
- -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
- -a sha1 -$$ commercial \
- -n "Pidgin $(PIDGIN_VERSION)" -i "https://pidgin.im" \
- -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
- $(STRIPPED_RELEASE_DIR)/pidgin.exe
+ $(call authenticode_sign, $(STRIPPED_RELEASE_DIR)/pidgin.exe, "Pidgin $(PIDGIN_VERSION)")
installer: generate_installer_includes
$(eval $@_DEBUG_SYMBOLS_SHA1SUM := $(shell sha1sum $(DEBUG_SYMBOLS_DIR).zip | sed -e "s/\ .*$$//"))
@@ -153,30 +157,23 @@ installer: generate_installer_includes
-DPIDGIN_INSTALL_DIR="$(STRIPPED_RELEASE_DIR)" -DGTK_INSTALL_VERSION="$(GTK_INSTALL_VERSION)" \
-DDEBUG_SYMBOLS_SHA1SUM="$($@_DEBUG_SYMBOLS_SHA1SUM)" -DGTK_SHA1SUM="$($@_GTK_SHA1SUM)"\
pidgin/win32/nsis/pidgin-installer.nsi
- $(MONO_SIGNCODE) \
- -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
- -a sha1 -$$ commercial \
- -n "Pidgin Installer" -i "https://pidgin.im" \
- -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
- pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe
+ $(call authenticode_sign, pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe, "Pidgin Installer")
mv pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION).exe ./
+ $(call gpg_sign, pidgin-$(PIDGIN_VERSION).exe)
installer_offline: generate_installer_includes
$(MAKENSIS) -V3 -DPIDGIN_VERSION="$(PIDGIN_VERSION)" -DPIDGIN_PRODUCT_VERSION="$(PIDGIN_PRODUCT_VERSION)" \
-DPIDGIN_INSTALL_DIR="$(STRIPPED_RELEASE_DIR)" -DGTK_INSTALL_VERSION="$(GTK_INSTALL_VERSION)" \
-DOFFLINE_INSTALLER \
pidgin/win32/nsis/pidgin-installer.nsi
- $(MONO_SIGNCODE) \
- -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
- -a sha1 -$$ commercial \
- -n "Pidgin Installer" -i "https://pidgin.im" \
- -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
- pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe
+ $(call authenticode_sign, pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe, "Pidgin Installer")
mv pidgin/win32/nsis/pidgin-$(PIDGIN_VERSION)-offline.exe ./
+ $(call gpg_sign, pidgin-$(PIDGIN_VERSION)-offline.exe)
installer_zip: create_release_install_dir
rm -f pidgin-$(PIDGIN_VERSION)-win32-bin.zip
zip -9 -r pidgin-$(PIDGIN_VERSION)-win32-bin.zip $(STRIPPED_RELEASE_DIR)
+ $(call gpg_sign, pidgin-$(PIDGIN_VERSION)-win32-bin.zip)
debug_symbols_zip: install
rm -rf $(DEBUG_SYMBOLS_DIR) $(DEBUG_SYMBOLS_DIR).zip
@@ -185,6 +182,7 @@ debug_symbols_zip: install
-not \( -false $(EXTERNAL_DLLS_FIND_EXP) \) -print` \
| tar --strip 2 --xform s/$$/.dbgsym/ -xC $(DEBUG_SYMBOLS_DIR) -f -
zip -9 -r $(DEBUG_SYMBOLS_DIR).zip $(DEBUG_SYMBOLS_DIR)
+ $(call gpg_sign, $(DEBUG_SYMBOLS_DIR).zip)
installers: installer installer_offline debug_symbols_zip installer_zip
diff --git a/libpurple/win32/global.mak b/libpurple/win32/global.mak
--- a/libpurple/win32/global.mak
+++ b/libpurple/win32/global.mak
@@ -110,6 +110,7 @@ WINDRES ?= windres
STRIP ?= strip
INTLTOOL_MERGE ?= $(WIN32_DEV_TOP)/intltool_0.40.4-1_win32/bin/intltool-merge
MONO_SIGNCODE ?= signcode
+GPG_SIGN ?= gpg
PIDGIN_COMMON_RULES := $(PURPLE_TOP)/win32/rules.mak
PIDGIN_COMMON_TARGETS := $(PURPLE_TOP)/win32/targets.mak
diff --git a/pidgin/win32/nsis/generate_gtk_zip.sh b/pidgin/win32/nsis/generate_gtk_zip.sh
--- a/pidgin/win32/nsis/generate_gtk_zip.sh
+++ b/pidgin/win32/nsis/generate_gtk_zip.sh
@@ -2,6 +2,7 @@
# Script to generate zip file for GTK+ runtime to be included in Pidgin installer
PIDGIN_BASE=$1
+GPG_SIGN=$2
if [ ! -e $PIDGIN_BASE/ChangeLog ]; then
echo $(basename $0) must must have the pidgin base dir specified as a parameter.
@@ -89,13 +90,14 @@ function download_and_extract {
wget "$URL.asc" || exit 1
fi
#Use our own keyring to avoid adding stuff to the main keyring
- GPG="gpg -q --keyring $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg"
+ #This doesn't use $GPG_SIGN because we don't this validation to be bypassed when people are skipping signing output
+ GPG_BASE="gpg -q --keyring $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg"
if [[ ! -e $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg \
- || `$GPG --list-keys "$VALIDATION_VALUE" > /dev/null && echo -n "0"` -ne 0 ]]; then
+ || `$GPG_BASE --list-keys "$VALIDATION_VALUE" > /dev/null && echo -n "0"` -ne 0 ]]; then
touch $STAGE_DIR/$VALIDATION_VALUE-keyring.gpg
- $GPG --no-default-keyring --keyserver pgp.mit.edu --recv-key "$VALIDATION_VALUE" || exit 1
+ $GPG_BASE --no-default-keyring --keyserver pgp.mit.edu --recv-key "$VALIDATION_VALUE" || exit 1
fi
- $GPG --verify "$FILE.asc" || (echo "$FILE failed signature verification"; exit 1) || exit 1
+ $GPG_BASE --verify "$FILE.asc" || (echo "$FILE failed signature verification"; exit 1) || exit 1
else
echo "Unrecognized validation type of $VALIDATION_TYPE"
exit 1
@@ -132,6 +134,7 @@ done
#Generate zip file to be included in installer
rm -f $ZIP_FILE
zip -9 -r $ZIP_FILE Gtk
+($GPG_SIGN -ab $ZIP_FILE && $GPG_SIGN --verify $ZIP_FILE.asc) || exit 1
exit 0
More information about the Commits
mailing list