Merge branch 'sign-executables'

author: David Lönnhager <david.l@mullvad.net> 2020-01-22 14:11:44 +0100
committer: David Lönnhager <david.l@mullvad.net> 2020-01-22 14:11:44 +0100
commit: 456344dca2ec560b29ddcf0a18eab23d86d8d1a5 (patch)
tree: 35619e44cd3fd216f8e03a7b47f76538d0f7bef6
parent: 48f748452a8a78e789d284f6e7830681c3c6e1b3 (diff)
parent: 7aa2d778c78802bfa6c3b91ade6bdf832b6f9893 (diff)
download: mullvadvpn-456344dca2ec560b29ddcf0a18eab23d86d8d1a5.tar.xz
mullvadvpn-456344dca2ec560b29ddcf0a18eab23d86d8d1a5.zip
3 files changed, 80 insertions, 45 deletions
diff --git a/README.md b/README.md
index 7746253fe5..f3600e39b5 100644
--- a/README.md
+++ b/README.md
@@ -368,27 +368,30 @@ the version of the app you are going to release. For example `2018.3-beta1` or `
 
     Please verify that the script did the right thing before you push the commit and tag it created.
 
-1. When building for macOS, the following environment variables must be set:
-   * `CSC_LINK` - The path to the `.p12` certificate file with the Apple application signing keys.
-     This file must contain both the "Developer ID Application" and the "Developer ID Installer"
-     certificates + private keys. If this environment variable is missing `build.sh` will skip
-     signing.
+1. When building for Windows or macOS, the following environment variables must be set:
+   * `CSC_LINK` - The path to the certificate used for code signing.
+      * Windows: A `.pfx` certificate.
+      * macOS: A `.p12` certificate file with the Apple application signing keys.
+        This file must contain both the "Developer ID Application" and the "Developer ID Installer"
+        certificates + private keys.
    * `CSC_KEY_PASSWORD` - The password to the file given in `CSC_LINK`. If this is not set then
-     `build.sh` will prompt you for it. If you set it yourself, make sure to define it in such a
-     way that it's not stored in your bash history:
-     ```bash
-     export HISTCONTROL=ignorespace
-     export CSC_KEY_PASSWORD='my secret'
-     ```
-   * `NOTARIZE_APPLE_ID` - The AppleId to use when notarizing the app. Only needed on release builds
-   * `NOTARIZE_APPLE_ID_PASSWORD` - The AppleId password for the account in `NOTARIZE_APPLE_ID`.
-     Don't use the real AppleId password! Instead create an app specific password and add that to
-     your keyring. See this documentation: https://github.com/electron/electron-notarize#safety-when-using-appleidpassword
+      `build.sh` will prompt you for it. If you set it yourself, make sure to define it in such a
+      way that it's not stored in your bash history:
+      ```bash
+      export HISTCONTROL=ignorespace
+      export CSC_KEY_PASSWORD='my secret'
+      ```
 
-     Summary:
-     1. Generate app specific password on Apple's AppleId management portal.
-     2. Run `security add-generic-password -a "<apple_id>" -w <app_specific_password> -s "something_something"`
-     3. Set `NOTARIZE_APPLE_ID_PASSWORD="@keychain:something_something"`.
+   * *macOS only*:
+      * `NOTARIZE_APPLE_ID` - The AppleId to use when notarizing the app. Only needed on release builds
+      * `NOTARIZE_APPLE_ID_PASSWORD` - The AppleId password for the account in `NOTARIZE_APPLE_ID`.
+         Don't use the real AppleId password! Instead create an app specific password and add that to
+         your keyring. See this documentation: https://github.com/electron/electron-notarize#safety-when-using-appleidpassword
+
+         Summary:
+         1. Generate app specific password on Apple's AppleId management portal.
+         2. Run `security add-generic-password -a "<apple_id>" -w <app_specific_password> -s "something_something"`
+         3. Set `NOTARIZE_APPLE_ID_PASSWORD="@keychain:something_something"`.
 
 1. Run `./build.sh` on each computer/platform where you want to create a release artifact. This will
     do the following for you:
diff --git a/build.sh b/build.sh
index 43f2a157ba..853cb96895 100755
--- a/build.sh
+++ b/build.sh
@@ -29,7 +29,7 @@ if [[ "${1:-""}" != "--dev-build" ]]; then
         exit 1
     fi
 
-    if [[ ("$(uname -s)" == "Darwin") ]]; then
+    if [[ ("$(uname -s)" == "Darwin") || "$(uname -s)" == "MINGW"* ]]; then
         echo "Configuring environment for signing of binaries"
         if [[ -z ${CSC_LINK-} ]]; then
             echo "The variable CSC_LINK is not set. It needs to point to a file containing the"
@@ -43,6 +43,13 @@ if [[ "${1:-""}" != "--dev-build" ]]; then
         fi
         # MacOs: This needs to be set to 'true' to activate signing, even when CSC_LINK is set.
         export CSC_IDENTITY_AUTO_DISCOVERY=true
+
+        if [[ "$(uname -s)" == "MINGW"* ]]; then
+            CERT_FILE=$CSC_LINK
+            CERT_PASSPHRASE=$CSC_KEY_PASSWORD
+            unset CSC_LINK CSC_KEY_PASSWORD
+            export CSC_IDENTITY_AUTO_DISCOVERY=false
+        fi
     else
         unset CSC_LINK CSC_KEY_PASSWORD
         export CSC_IDENTITY_AUTO_DISCOVERY=false
@@ -69,6 +76,34 @@ else
     CARGO_ARGS="--locked"
 fi
 
+sign_win() {
+    NUM_RETRIES=3
+
+    for binary in "$@"; do
+        # Try multiple times in case the timestamp server cannot
+        # be contacted.
+        for i in $(seq 0 ${NUM_RETRIES}); do
+            signtool sign \
+            -tr http://timestamp.digicert.com -td sha256 \
+            -fd sha256 -d "Mullvad VPN" \
+            -du "https://github.com/mullvad/mullvadvpn-app#readme" \
+            -f "$CERT_FILE" \
+            -p "$CERT_PASSPHRASE" "$binary"
+
+            if [ "$?" -eq "0" ]; then
+                break
+            fi
+
+            if [ "$i" -eq "${NUM_RETRIES}" ]; then
+                return 1
+            fi
+
+            sleep 1
+        done
+    done
+    return 0
+}
+
 echo "Building Mullvad VPN $PRODUCT_VERSION"
 
 function restore_metadata_backups() {
@@ -125,6 +160,11 @@ fi
 for binary in ${binaries[*]}; do
     SRC="$CARGO_TARGET_DIR/release/$binary"
     DST="$SCRIPT_DIR/dist-assets/$binary"
+
+    if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* ]]; then
+        sign_win "$SRC"
+    fi
+
     if [[ "$(uname -s)" == "MINGW"* || "$binary" == *.dylib ]]; then
         echo "Copying $SRC => $DST"
         cp "$SRC" "$DST"
@@ -134,6 +174,16 @@ for binary in ${binaries[*]}; do
     fi
 done
 
+if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* ]]; then
+    signdlls=(
+        windows/winfw/bin/x64-Release/winfw.dll
+        windows/windns/bin/x64-Release/windns.dll
+        windows/winnet/bin/x64-Release/winnet.dll
+        windows/winutil/bin/x64-Release/winutil.dll
+    )
+    sign_win "${signdlls[@]}"
+fi
+
 
 echo "Updating relay list..."
 set +e
@@ -190,6 +240,12 @@ for semver_path in dist/*$SEMVER_VERSION*; do
     product_path=$(echo $semver_path | sed -Ee "s/$SEMVER_VERSION/$PRODUCT_VERSION/g")
     echo "Moving $semver_path -> $product_path"
     mv $semver_path $product_path
+
+    if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* && "$product_path" == *.exe ]]
+    then
+        # sign installer
+        sign_win "$product_path"
+    fi
 done
 
 echo "**********************************"
diff --git a/ci/buildserver-build.sh b/ci/buildserver-build.sh
index 726a3f387e..b6b2ad18a0 100755
--- a/ci/buildserver-build.sh
+++ b/ci/buildserver-build.sh
@@ -10,9 +10,6 @@
 # ## Windows
 #
 # * Add signtool.exe to your PATH: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
-# * Put the comodo.pfx certificate in the same folder as this script
-# * Create sign.bat in the same folder as this script, with the content:
-#     signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f comodo.pfx /p <PASSWORD TO comodo.pfx> "%1"
 
 set -eu
 shopt -s nullglob
@@ -26,20 +23,13 @@ UPLOAD_DIR="/home/upload/upload"
 BRANCHES_TO_BUILD=("origin/master")
 
 case "$(uname -s)" in
-  Darwin*)
+  Darwin*|MINGW*|MSYS_NT*)
     if [[ -z ${CSC_KEY_PASSWORD-} ]]; then
       read -sp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD
       echo ""
       export CSC_KEY_PASSWORD
     fi
     ;;
-  MINGW*|MSYS_NT*)
-    if [[ -z ${CERT_PASSPHRASE-} ]]; then
-      read -sp "CERT_PASSPHRASE = " CERT_PASSPHRASE
-      echo ""
-      export CERT_PASSPHRASE
-    fi
-  ;;
 esac
 
 # Uploads whatever matches the first argument to the Linux build server
@@ -52,19 +42,6 @@ bye
 EOF
 }
 
-# Sign the Windows app. We try multiple times because it can randomly fail to
-# contact the timestamp server.
-# signtool must be called via a bat file, I cant make it work any other way :(
-sign_win() {
-  echo "Signing Windows Mullvad VPN installer"
-  echo 'signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f "%1" /p "%2" "%3"' > "$SCRIPT_DIR/sign.bat"
-  for _ in {0..3}; do
-    sleep 1
-    $SCRIPT_DIR/sign.bat $SCRIPT_DIR/comodo.pfx "$CERT_PASSPHRASE" dist/MullvadVPN-*.exe && return 0
-  done
-  return 1
-}
-
 upload() {
   for f in MullvadVPN-*.{deb,rpm,exe,pkg,apk}; do
     sha256sum "$f" > "$f.sha256"
@@ -130,7 +107,6 @@ build_ref() {
   ./build.sh || return 0
   case "$(uname -s)" in
     MINGW*|MSYS_NT*)
-      sign_win || return 0
       echo "Packaging all PDB files..."
       find ./windows/ \
         ./target/release/mullvad-daemon.pdb \
author	David Lönnhager <david.l@mullvad.net>	2020-01-22 14:11:44 +0100
committer	David Lönnhager <david.l@mullvad.net>	2020-01-22 14:11:44 +0100
commit	456344dca2ec560b29ddcf0a18eab23d86d8d1a5 (patch)
tree	35619e44cd3fd216f8e03a7b47f76538d0f7bef6
parent	48f748452a8a78e789d284f6e7830681c3c6e1b3 (diff)
parent	7aa2d778c78802bfa6c3b91ade6bdf832b6f9893 (diff)
download	mullvadvpn-456344dca2ec560b29ddcf0a18eab23d86d8d1a5.tar.xz mullvadvpn-456344dca2ec560b29ddcf0a18eab23d86d8d1a5.zip