From 3656b828dc2204418974e94928cc8d915b10ed95 Mon Sep 17 00:00:00 2001 From: Ava Chow Date: Mon, 2 Dec 2024 17:17:19 -0500 Subject: [PATCH] contrib: Sign all Windows binaries too --- contrib/windeploy/detached-sig-create.sh | 26 ++++++++++++++++-------- doc/release-process.md | 2 +- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/contrib/windeploy/detached-sig-create.sh b/contrib/windeploy/detached-sig-create.sh index 82fcf2d4068..4ec726534c7 100755 --- a/contrib/windeploy/detached-sig-create.sh +++ b/contrib/windeploy/detached-sig-create.sh @@ -8,9 +8,9 @@ if [ -z "$OSSLSIGNCODE" ]; then OSSLSIGNCODE=osslsigncode fi -if [ -z "$1" ]; then - echo "usage: $0 " - echo "example: $0 -key codesign.key" +if [ "$#" -ne 1 ]; then + echo "usage: $0 " + echo "example: $0 codesign.key" exit 1 fi @@ -22,12 +22,22 @@ OUTSUBDIR="${OUTDIR}/win" TIMESERVER=http://timestamp.comodoca.com CERTFILE="win-codesign.cert" +stty -echo +printf "Enter the passphrase for %s: " "$1" +read cs_key_pass +printf "\n" +stty echo + + mkdir -p "${OUTSUBDIR}" -# shellcheck disable=SC2046 -basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) | while read UNSIGNED; do - echo Signing "${UNSIGNED}" - "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@" - "${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}" +find ${SRCDIR} -wholename "*.exe" -type f -exec realpath --relative-to=. {} \; | while read -r bin +do + echo Signing "${bin}" + bin_base="$(realpath --relative-to=${SRCDIR} "${bin}")" + mkdir -p "$(dirname ${WORKDIR}/"${bin_base}")" + "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${bin}" -out "${WORKDIR}/${bin_base}" -key "$1" -pass "${cs_key_pass}" + mkdir -p "$(dirname ${OUTSUBDIR}/"${bin_base}")" + "${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${bin_base}" -out "${OUTSUBDIR}/${bin_base}.pem" && rm "${WORKDIR}/${bin_base}" done rm -f "${OUT}" diff --git a/doc/release-process.md b/doc/release-process.md index faa3389722a..872da43bd32 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -174,7 +174,7 @@ In the `guix-build-${VERSION}/output/x86_64-apple-darwin` and `guix-build-${VERS In the `guix-build-${VERSION}/output/x86_64-w64-mingw32` directory: tar xf bitcoin-${VERSION}-win64-codesigning.tar.gz - ./detached-sig-create.sh -key /path/to/codesign.key + ./detached-sig-create.sh /path/to/codesign.key Enter the passphrase for the key when prompted signature-win.tar.gz will be created