diff options
| author |   Simon Rozman <simon@rozman.si> | 2024-10-17 14:27:00 +0200 |
|---|---|---|
| committer | Simon Rozman <simon@rozman.si> | 2024-10-17 14:27:00 +0200 |
| commit | b279eab97a46bf8382b956b087b6922f88f95f20 (patch) | |
| tree | 920b29faef3c5920557eb9752d7748265c3f4f0c | |
| parent | installer: update WiX Toolset download URL and version (diff) | |
| download | wireguard-windows-b279eab97a46bf8382b956b087b6922f88f95f20.tar.xz wireguard-windows-b279eab97a46bf8382b956b087b6922f88f95f20.zip | |
build: make code signing method configurable
Existing code signing was hard-coded to use a locally installed
certificate (hardware security dongles included). However, signtool.exe
is extensible to allow any kind of digest signing plugin with /dlib and
/dmdf switches. This is used for cloud-based code signing (e.g.
Microsoft Trusted Signing).
Signed-off-by: Simon Rozman <simon@rozman.si>
| -rw-r--r-- | build.bat | 4 | ||||
| -rw-r--r-- | docs/buildrun.md | 2 | ||||
| -rw-r--r-- | embeddable-dll-service/build.bat | 4 | ||||
| -rw-r--r-- | installer/build.bat | 8 |
4 files changed, 9 insertions, 9 deletions
@@ -47,10 +47,10 @@ if exist .deps\prepared goto :render :sign if exist .\sign.bat call .\sign.bat - if "%SigningCertificate%"=="" goto :success + if "%SigningProvider%"=="" goto :success if "%TimestampServer%"=="" goto :success echo [+] Signing - signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d WireGuard x86\wireguard.exe x86\wg.exe amd64\wireguard.exe amd64\wg.exe arm64\wireguard.exe arm64\wg.exe || goto :error + signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d WireGuard x86\wireguard.exe x86\wg.exe amd64\wireguard.exe amd64\wg.exe arm64\wireguard.exe arm64\wg.exe || goto :error :success echo [+] Success. Launch wireguard.exe. diff --git a/docs/buildrun.md b/docs/buildrun.md index 3d356f2a..687d2e61 100644 --- a/docs/buildrun.md +++ b/docs/buildrun.md @@ -60,7 +60,7 @@ C:\Projects\wireguard-windows\installer> build Add a file called `sign.bat` in the root of this repository with these contents, or similar: ```text -set SigningCertificate=8BC932FDFF15B892E8364C49B383210810E4709D +set SigningProvider=/sha1 8BC932FDFF15B892E8364C49B383210810E4709D set TimestampServer=http://timestamp.entrust.net/rfc3161ts2 ``` diff --git a/embeddable-dll-service/build.bat b/embeddable-dll-service/build.bat index b4c29000..f1001192 100644 --- a/embeddable-dll-service/build.bat +++ b/embeddable-dll-service/build.bat @@ -25,10 +25,10 @@ if exist ..\.deps\prepared goto :build :sign if exist ..\sign.bat call ..\sign.bat - if "%SigningCertificate%"=="" goto :success + if "%SigningProvider%"=="" goto :success if "%TimestampServer%"=="" goto :success echo [+] Signing - signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Tunnel" x86\tunnel.dll amd64\tunnel.dll arm64\tunnel.dll || goto :error + signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Tunnel" x86\tunnel.dll amd64\tunnel.dll arm64\tunnel.dll || goto :error :success echo [+] Success diff --git a/installer/build.bat b/installer/build.bat index 66218deb..ff3aaba2 100644 --- a/installer/build.bat +++ b/installer/build.bat @@ -40,10 +40,10 @@ if exist .deps\prepared goto :build call :msi x86 i686 x86 || goto :error call :msi amd64 x86_64 x64 || goto :error call :msi arm64 aarch64 arm64 || goto :error - if "%SigningCertificate%"=="" goto :success + if "%SigningProvider%"=="" goto :success if "%TimestampServer%"=="" goto :success echo [+] Signing - signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error + signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error :success echo [+] Success. @@ -61,10 +61,10 @@ if exist .deps\prepared goto :build if not exist "%~1" mkdir "%~1" echo [+] Compiling %1 %CC% %CFLAGS% %LDFLAGS% -o "%~1\customactions.dll" customactions.c %LDLIBS% || exit /b 1 - if "%SigningCertificate%"=="" goto :skipsign + if "%SigningProvider%"=="" goto :skipsign if "%TimestampServer%"=="" goto :skipsign echo [+] Signing %1 - signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup Custom Actions" "%~1\customactions.dll" || exit /b 1 + signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup Custom Actions" "%~1\customactions.dll" || exit /b 1 :skipsign "%WIX%bin\candle" %WIX_CANDLE_FLAGS% -dWIREGUARD_PLATFORM="%~1" -out "%~1\wireguard.wixobj" -arch %3 wireguard.wxs || exit /b %errorlevel% echo [+] Linking %1 |