diff options
| author | Werner Koch <[email protected]> | 2025-04-02 10:10:08 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-04-02 10:10:08 +0000 |
| commit | 9e9b762108c86181d2dd71cb618b38f3e38afee1 (patch) | |
| tree | 3bd668394df000bc87ac5ffc7ad2b46c6842bb04 | |
| parent | scd,w32: Fix posssible lockup due to lost select results. (diff) | |
| download | gnupg-9e9b762108c86181d2dd71cb618b38f3e38afee1.tar.gz gnupg-9e9b762108c86181d2dd71cb618b38f3e38afee1.zip | |
speedo: Require the use of an installed gpg-authcode-sign.sh
* build-aux/speedo.mk: Change to use the external sign script.
| -rw-r--r-- | build-aux/speedo.mk | 83 |
1 files changed, 7 insertions, 76 deletions
diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 7d056063d..4c7e9a6f4 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -43,47 +43,7 @@ # # The information reyured to sign the tarballs and binaries # are expected in the developer specific file ~/.gnupg-autogen.rc". -# Here is an example: -#--8<---------------cut here---------------start------------->8--- -# # Location of the released tarball archives. Note that this is an -# # internal archive and before uploading this to the public server, -# # manual tests should be run and the git release tagged and pushed. -# # This is greped by the Makefile. -# RELEASE_ARCHIVE=foo@somehost:tarball-archive -# -# # The key used to sign the released sources. -# # This is greped by the Makefile. -# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA -# -# # For signing Windows binaries we need to employ a Windows machine. -# # We connect to this machine via ssh and take the connection -# # parameters via .ssh/config. For example a VM could be specified -# # like this: -# # -# # Host authenticode-signhost -# # HostName localhost -# # Port 27042 -# # User gpgsign -# # -# # Depending on the used token it might be necessary to allow single -# # signon and unlock the token before running the make. The following -# # variable references this entry. This is greped by the Makefile. -# AUTHENTICODE_SIGNHOST=authenticode-signhost -# -# # The name of the signtool as used on Windows. -# # This is greped by the Makefile. -# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" -# -# # To use osslsigncode the follwing entries are required and -# # an empty string must be given for AUTHENTICODE_SIGNHOST. -# # They are greped by the Makefile. -# AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12 -# AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem -# -# If a tarball has not been published while building a release it -# may be stored in a directory specified by: -# OVERRIDE_TARBALLS=/home/foo/override-tarballs -#--8<---------------cut here---------------end--------------->8--- +# Use "gpg-authcode-sign.sh --template" to create a template. # We need to know our own name. @@ -245,13 +205,6 @@ WIXPREFIX=$(shell readlink -f ~/w32root/wixtools) define READ_AUTOGEN_template $(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2) endef -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY)) -$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS)) -$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE)) -$(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE)) -$(eval $(call READ_AUTOGEN_template,SCUTEMODULE)) $(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS)) # All files given in AUTHENTICODE_FILES are signed before @@ -1450,35 +1403,13 @@ endef # Sign the file $1 and save the result as $2 define AUTHENTICODE_sign - set -e;\ - if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \ - echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\ - scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\ - ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \ - /a /n '"g10 Code GmbH"' \ - /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \ - /fd sha256 /du https://gnupg.org a.exe ;\ - scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\ - echo "speedo: signed file is '$(2)'" ;\ - elif [ "$(AUTHENTICODE_KEY)" = card ]; then \ - echo "speedo: Signing using a card";\ - $(OSSLSIGNCODE) sign \ - -pkcs11engine $(OSSLPKCS11ENGINE) \ - -pkcs11module $(SCUTEMODULE) \ - -certs $(AUTHENTICODE_CERTS) \ - -h sha256 -n GnuPG -i https://gnupg.org \ - -ts http://rfc3161timestamp.globalsign.com/advanced \ - -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \ - elif [ -e "$(AUTHENTICODE_KEY)" ]; then \ - echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\ - osslsigncode sign -certs $(AUTHENTICODE_CERTS) \ - -pkcs12 $(AUTHENTICODE_KEY) -askpass \ - -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \ - -h sha256 -n GnuPG -i https://gnupg.org \ - -in $(1) -out $(2) ;\ + (set -e; \ + if (gpg-authcode-sign.sh --version >/dev/null); then \ + gpg-authcode-sign.sh "$(1)" "$(2)"; \ else \ - echo "speedo: WARNING: Binaries are not signed"; \ - fi + echo 2>&1 "warning: Please install gpg-authcode-sign.sh to sign files." ;\ + [ "$(1)" != "$(2)" ] && cp "$(1)" "$(2)" ;\ + fi) endef # Help target for testing to sign a file. |