FreeDV
/
freedv-gui
mirror of https://github.com/drowe67/freedv-gui.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Allow hash algorithm to be overridden.

ms-code-signing
Mooneer Salem 2023-08-11 23:28:16 -07:00
parent d20e1d3d2c
commit 13d1246670
3 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
CMakeLists.txt
View File

@ -165,6 +165,11 @@ if(SIGN_WINDOWS_BINARIES)
set(TIMESTAMP_SERVER http://timestamp.sectigo.com/)
endif(NOT DEFINED TIMESTAMP_SERVER)
# Default hash algorithm
if(NOT DEFINED SIGN_HASH)
set(SIGN_HASH sha384)
endif(NOT DEFINED SIGN_HASH)
# Look for osslsigncode
find_program(
OSSLSIGNCODE_BIN
@ -172,15 +177,10 @@ if(SIGN_WINDOWS_BINARIES)
REQUIRED)
# Generate command to execute for signing binaries.
execute_process(
COMMAND cat
INPUT_FILE ${PKCS11_KEY_FILE}
OUTPUT_VARIABLE PKCS11_KEY)
execute_process(
COMMAND cat
INPUT_FILE ${PKCS11_CERTIFICATE_FILE}
OUTPUT_VARIABLE PKCS11_CERTIFICATE)
file(READ ${PKCS11_KEY_FILE} PKCS11_KEY_TMP)
file(READ ${PKCS11_CERTIFICATE_FILE} PKCS11_CERTIFICATE_TMP)
string(REPLACE "\n" "" PKCS11_KEY "${PKCS11_KEY_TMP}")
string(REPLACE "\n" "" PKCS11_CERTIFICATE "${PKCS11_CERTIFICATE_TMP}")
endif(SIGN_WINDOWS_BINARIES)
if(USE_STATIC_DEPS)
@ -647,7 +647,7 @@ if(WIN32)
if(SIGN_WINDOWS_BINARIES)
# Add finalize command for NSIS so the installer/uninstaller can be
# signed too.
set(CPACK_NSIS_FINALIZE_CMD "mv %1 %1.tmp; ${OSSLSIGNCODE_BIN} sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert \\\"${PKCS11_CERTIFICATE}\\\" -key \\\"${PKCS11_KEY}\\\" -h sha384 -comm -ts ${TIMESTAMP_SERVER} -in %1.tmp -out %1")
set(CPACK_NSIS_FINALIZE_CMD "mv %1 %1.tmp; ${OSSLSIGNCODE_BIN} sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert \\\"${PKCS11_CERTIFICATE}\\\" -key \\\"${PKCS11_KEY}\\\" -h ${SIGN_HASH} -comm -ts ${TIMESTAMP_SERVER} -in %1.tmp -out %1")
endif(SIGN_WINDOWS_BINARIES)
include(CPack)

2
CODE_SIGNING.md
View File

@ -108,7 +108,7 @@ echo -n "pkcs11:id=%01;type=private" > ~/yubikey-key.url
echo -n "pkcs11:id=%01" > ~/yubikey-cert.url
```
Note that the URLs in the above commands are shortened from what `p11tool` displays; this is possible if the issued certificate is the only one on the YubiKey.
Note that the URLs in the above commands are shortened from what `p11tool` displays; this is possible if it's able to uniquely identify a certificate using the provided information. If there's only one certificate installed on the YubiKey, it's also possible to just create empty files for the certificate and key URLs (and in fact, may be necessary for the correct certificate to be used).
## Signing binaries manually

2
src/CMakeLists.txt
View File

@ -178,7 +178,7 @@ if(SIGN_WINDOWS_BINARIES)
TARGET freedv
POST_BUILD
COMMAND mv $<TARGET_FILE:freedv> $<TARGET_FILE:freedv>.tmp
COMMAND ${OSSLSIGNCODE_BIN} ARGS sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert "${PKCS11_CERTIFICATE}" -key "${PKCS11_KEY}" -h sha384 -ts ${TIMESTAMP_SERVER} -comm -in $<TARGET_FILE:freedv>.tmp -out $<TARGET_FILE:freedv>
COMMAND ${OSSLSIGNCODE_BIN} ARGS sign -pkcs11engine ${PKCS11_ENGINE} -pkcs11module ${PKCS11_MODULE} -pkcs11cert "${PKCS11_CERTIFICATE}" -key "${PKCS11_KEY}" -h ${SIGN_HASH} -ts ${TIMESTAMP_SERVER} -comm -in $<TARGET_FILE:freedv>.tmp -out $<TARGET_FILE:freedv>
COMMAND rm $<TARGET_FILE:freedv>.tmp
VERBATIM)
endif(SIGN_WINDOWS_BINARIES)