From 4a70fb99a4b4a670383d08f00daa5cc8a60cd8a6 Mon Sep 17 00:00:00 2001 From: qstokkink Date: Tue, 20 Aug 2024 12:41:16 +0200 Subject: [PATCH] Added one-time signing keys to windows build --- .github/workflows/build.yml | 3 ++- build/win/keygen_config.txt | 23 +++++++++++++++++++++++ build/win/makedist_win.bat | 15 ++++++++------- 3 files changed, 33 insertions(+), 8 deletions(-) create mode 100644 build/win/keygen_config.txt diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f1a698f695..8fe15be777 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,7 +62,8 @@ jobs: run: | git fetch --tags git for-each-ref --count=1 --sort=-creatordate --format '%(refname)' refs/tags > raw_tag.txt - echo "GITHUB_TAG=$(git name-rev --tags --name-only $(cat raw_tag.txt))" >> $GITHUB_ENV + GITHUB_TAG=$(git name-rev --tags --name-only $(cat raw_tag.txt)) + echo "GITHUB_TAG=${GITHUB_TAG#v}" >> $GITHUB_ENV - name: Build Executables (Ubuntu) if: matrix.os == 'ubuntu-latest' run: | diff --git a/build/win/keygen_config.txt b/build/win/keygen_config.txt new file mode 100644 index 0000000000..e8ec41d2e7 --- /dev/null +++ b/build/win/keygen_config.txt @@ -0,0 +1,23 @@ +[ req ] +prompt = no +default_bits = 4096 +distinguished_name = req_distinguished_name + +string_mask = utf8only +default_md = sha256 +x509_extensions = v3_ca + +[ req_distinguished_name ] +countryName = NL +stateOrProvinceName = ZH +localityName = nl_NL +organizationName = Delf University of Technology +organizationalUnitName = Tribler +commonName = Tribler +emailAddress = info@tribler.org + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature diff --git a/build/win/makedist_win.bat b/build/win/makedist_win.bat index 72920d0365..0948ae4b3e 100644 --- a/build/win/makedist_win.bat +++ b/build/win/makedist_win.bat @@ -43,23 +43,24 @@ REM Sandip, 2024-03-26: Some openssl dlls are missing so need to be copied manua copy C:\Program Files\OpenSSL\bin\*.dll dist\tribler\lib -@echo Running NSIS -cd dist\tribler - REM Arno: Sign Tribler.exe so MS "Block / Unblock" dialog has publisher info. REM --- Doing this in ugly way for now if not defined SKIP_SIGNING_TRIBLER_BINARIES ( - REM Get password for code signing - set /p PASSWORD="Enter the PFX password:" - signtool.exe sign /f C:\build\certs\certificate.pfx /p "%PASSWORD%" /d "Tribler" /t "http://timestamp.digicert.com" tribler.exe + openssl req -nodes -new -x509 -config build\win\keygen_config.txt -keyout key.pem -out pub_key.pem + openssl pkcs12 -export -in pub_key.pem -inkey key.pem -out ot_cert.pfx -passout pass: + "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f ot_cert.pfx /d "Tribler" /t "http://timestamp.digicert.com" dist\tribler\tribler.exe ) + +@echo Running NSIS +cd dist\tribler + :makeinstaller %NSIS% /DVERSION=%GITHUB_TAG% tribler.nsi || exit /b move Tribler_*.exe .. cd .. REM Arno: Sign installer if not defined SKIP_SIGNING_TRIBLER_BINARIES ( - signtool.exe sign /f c:\build\certs\certificate.pfx /p "%PASSWORD%" /d "Tribler" /t "http://timestamp.digicert.com" Tribler_*.exe + "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f ..\ot_cert.pfx /d "Tribler" /t "http://timestamp.digicert.com" Tribler_*.exe ) endlocal