diff --git a/CMakeLists.txt b/CMakeLists.txt index 0833a99a..f9246332 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -165,6 +165,11 @@ if(SIGN_WINDOWS_BINARIES) set(TIMESTAMP_SERVER http://timestamp.sectigo.com/) endif(NOT DEFINED TIMESTAMP_SERVER) + # Default hash algorithm + if(NOT DEFINED SIGN_HASH) + set(SIGN_HASH sha384) + endif(NOT DEFINED SIGN_HASH) + # Look for osslsigncode find_program( OSSLSIGNCODE_BIN @@ -172,15 +177,10 @@ if(SIGN_WINDOWS_BINARIES) REQUIRED) # Generate command to execute for signing binaries. - execute_process( - COMMAND cat - INPUT_FILE ${PKCS11_KEY_FILE} - OUTPUT_VARIABLE PKCS11_KEY) - - execute_process( - COMMAND cat - INPUT_FILE ${PKCS11_CERTIFICATE_FILE} - OUTPUT_VARIABLE PKCS11_CERTIFICATE) + file(READ ${PKCS11_KEY_FILE} PKCS11_KEY_TMP) + file(READ ${PKCS11_CERTIFICATE_FILE} PKCS11_CERTIFICATE_TMP) + string(REPLACE "\n" "" PKCS11_KEY "${PKCS11_KEY_TMP}") + string(REPLACE "\n" "" PKCS11_CERTIFICATE "${PKCS11_CERTIFICATE_TMP}") endif(SIGN_WINDOWS_BINARIES) if(USE_STATIC_DEPS) @@ -647,7 +647,7 @@ if(WIN32) if(SIGN_WINDOWS_BINARIES) # Add finalize command for NSIS so the installer/uninstaller can be # signed too. - set(CPACK_NSIS_FINALIZE_CMD "mv %1 %1.tmp; ${OSSLSIGNCODE_BIN} sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert \\\"${PKCS11_CERTIFICATE}\\\" -key \\\"${PKCS11_KEY}\\\" -h sha384 -comm -ts ${TIMESTAMP_SERVER} -in %1.tmp -out %1") + set(CPACK_NSIS_FINALIZE_CMD "mv %1 %1.tmp; ${OSSLSIGNCODE_BIN} sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert \\\"${PKCS11_CERTIFICATE}\\\" -key \\\"${PKCS11_KEY}\\\" -h ${SIGN_HASH} -comm -ts ${TIMESTAMP_SERVER} -in %1.tmp -out %1") endif(SIGN_WINDOWS_BINARIES) include(CPack) diff --git a/CODE_SIGNING.md b/CODE_SIGNING.md index 22fae2d4..9387ddc7 100644 --- a/CODE_SIGNING.md +++ b/CODE_SIGNING.md @@ -108,7 +108,7 @@ echo -n "pkcs11:id=%01;type=private" > ~/yubikey-key.url echo -n "pkcs11:id=%01" > ~/yubikey-cert.url ``` -Note that the URLs in the above commands are shortened from what `p11tool` displays; this is possible if the issued certificate is the only one on the YubiKey. +Note that the URLs in the above commands are shortened from what `p11tool` displays; this is possible if it's able to uniquely identify a certificate using the provided information. If there's only one certificate installed on the YubiKey, it's also possible to just create empty files for the certificate and key URLs (and in fact, may be necessary for the correct certificate to be used). ## Signing binaries manually diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 51e924e1..100639fb 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -178,7 +178,7 @@ if(SIGN_WINDOWS_BINARIES) TARGET freedv POST_BUILD COMMAND mv $ $.tmp - COMMAND ${OSSLSIGNCODE_BIN} ARGS sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert "${PKCS11_CERTIFICATE}" -key "${PKCS11_KEY}" -h sha384 -ts ${TIMESTAMP_SERVER} -comm -in $.tmp -out $ + COMMAND ${OSSLSIGNCODE_BIN} ARGS sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert "${PKCS11_CERTIFICATE}" -key "${PKCS11_KEY}" -h ${SIGN_HASH} -ts ${TIMESTAMP_SERVER} -comm -in $.tmp -out $ COMMAND rm $.tmp VERBATIM) endif(SIGN_WINDOWS_BINARIES)