diff options
| author | David Lönnhager <david.l@mullvad.net> | 2020-01-16 17:38:31 +0100 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2020-01-22 13:43:49 +0100 |
| commit | 784fba2393a9db79ea21bed86e67317fe076e360 (patch) | |
| tree | 54f3f8bee55d47ac6334f3d8b4285b50dc58150d | |
| parent | 48f748452a8a78e789d284f6e7830681c3c6e1b3 (diff) | |
| download | mullvadvpn-784fba2393a9db79ea21bed86e67317fe076e360.tar.xz mullvadvpn-784fba2393a9db79ea21bed86e67317fe076e360.zip | |
Sign select binaries for release builds
| -rwxr-xr-x | build.sh | 58 | ||||
| -rwxr-xr-x | ci/buildserver-build.sh | 26 |
2 files changed, 58 insertions, 26 deletions
@@ -29,7 +29,7 @@ if [[ "${1:-""}" != "--dev-build" ]]; then exit 1 fi - if [[ ("$(uname -s)" == "Darwin") ]]; then + if [[ ("$(uname -s)" == "Darwin") || "$(uname -s)" == "MINGW"* ]]; then echo "Configuring environment for signing of binaries" if [[ -z ${CSC_LINK-} ]]; then echo "The variable CSC_LINK is not set. It needs to point to a file containing the" @@ -43,6 +43,13 @@ if [[ "${1:-""}" != "--dev-build" ]]; then fi # MacOs: This needs to be set to 'true' to activate signing, even when CSC_LINK is set. export CSC_IDENTITY_AUTO_DISCOVERY=true + + if [[ "$(uname -s)" == "MINGW"* ]]; then + CERT_FILE=$CSC_LINK + CERT_PASSPHRASE=$CSC_KEY_PASSWORD + unset CSC_LINK CSC_KEY_PASSWORD + export CSC_IDENTITY_AUTO_DISCOVERY=false + fi else unset CSC_LINK CSC_KEY_PASSWORD export CSC_IDENTITY_AUTO_DISCOVERY=false @@ -69,6 +76,34 @@ else CARGO_ARGS="--locked" fi +sign_win() { + NUM_RETRIES=3 + + for binary in "$@"; do + # Try multiple times in case the timestamp server cannot + # be contacted. + for i in $(seq 0 ${NUM_RETRIES}); do + signtool sign \ + -tr http://timestamp.digicert.com -td sha256 \ + -fd sha256 -d "Mullvad VPN" \ + -du "https://github.com/mullvad/mullvadvpn-app#readme" \ + -f "$CERT_FILE" \ + -p "$CERT_PASSPHRASE" "$binary" + + if [ "$?" -eq "0" ]; then + break + fi + + if [ "$i" -eq "${NUM_RETRIES}" ]; then + return 1 + fi + + sleep 1 + done + done + return 0 +} + echo "Building Mullvad VPN $PRODUCT_VERSION" function restore_metadata_backups() { @@ -125,6 +160,11 @@ fi for binary in ${binaries[*]}; do SRC="$CARGO_TARGET_DIR/release/$binary" DST="$SCRIPT_DIR/dist-assets/$binary" + + if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* ]]; then + sign_win "$SRC" + fi + if [[ "$(uname -s)" == "MINGW"* || "$binary" == *.dylib ]]; then echo "Copying $SRC => $DST" cp "$SRC" "$DST" @@ -134,6 +174,16 @@ for binary in ${binaries[*]}; do fi done +if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* ]]; then + signdlls=( + windows/winfw/bin/x64-Release/winfw.dll + windows/windns/bin/x64-Release/windns.dll + windows/winnet/bin/x64-Release/winnet.dll + windows/winutil/bin/x64-Release/winutil.dll + ) + sign_win "${signdlls[@]}" +fi + echo "Updating relay list..." set +e @@ -190,6 +240,12 @@ for semver_path in dist/*$SEMVER_VERSION*; do product_path=$(echo $semver_path | sed -Ee "s/$SEMVER_VERSION/$PRODUCT_VERSION/g") echo "Moving $semver_path -> $product_path" mv $semver_path $product_path + + if [[ "$BUILD_MODE" == "release" && "$(uname -s)" == "MINGW"* && "$product_path" == *.exe ]] + then + # sign installer + sign_win "$product_path" + fi done echo "**********************************" diff --git a/ci/buildserver-build.sh b/ci/buildserver-build.sh index 726a3f387e..b6b2ad18a0 100755 --- a/ci/buildserver-build.sh +++ b/ci/buildserver-build.sh @@ -10,9 +10,6 @@ # ## Windows # # * Add signtool.exe to your PATH: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 -# * Put the comodo.pfx certificate in the same folder as this script -# * Create sign.bat in the same folder as this script, with the content: -# signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f comodo.pfx /p <PASSWORD TO comodo.pfx> "%1" set -eu shopt -s nullglob @@ -26,20 +23,13 @@ UPLOAD_DIR="/home/upload/upload" BRANCHES_TO_BUILD=("origin/master") case "$(uname -s)" in - Darwin*) + Darwin*|MINGW*|MSYS_NT*) if [[ -z ${CSC_KEY_PASSWORD-} ]]; then read -sp "CSC_KEY_PASSWORD = " CSC_KEY_PASSWORD echo "" export CSC_KEY_PASSWORD fi ;; - MINGW*|MSYS_NT*) - if [[ -z ${CERT_PASSPHRASE-} ]]; then - read -sp "CERT_PASSPHRASE = " CERT_PASSPHRASE - echo "" - export CERT_PASSPHRASE - fi - ;; esac # Uploads whatever matches the first argument to the Linux build server @@ -52,19 +42,6 @@ bye EOF } -# Sign the Windows app. We try multiple times because it can randomly fail to -# contact the timestamp server. -# signtool must be called via a bat file, I cant make it work any other way :( -sign_win() { - echo "Signing Windows Mullvad VPN installer" - echo 'signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /d "Mullvad VPN" /du https://github.com/mullvad/mullvadvpn-app#readme /f "%1" /p "%2" "%3"' > "$SCRIPT_DIR/sign.bat" - for _ in {0..3}; do - sleep 1 - $SCRIPT_DIR/sign.bat $SCRIPT_DIR/comodo.pfx "$CERT_PASSPHRASE" dist/MullvadVPN-*.exe && return 0 - done - return 1 -} - upload() { for f in MullvadVPN-*.{deb,rpm,exe,pkg,apk}; do sha256sum "$f" > "$f.sha256" @@ -130,7 +107,6 @@ build_ref() { ./build.sh || return 0 case "$(uname -s)" in MINGW*|MSYS_NT*) - sign_win || return 0 echo "Packaging all PDB files..." find ./windows/ \ ./target/release/mullvad-daemon.pdb \ |