oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Windows: Update code signing to support SHA256

Browse Source 
Change-Id: I324e7c56fd73a744127c50e8fc136e8b23d860b0
This commit is contained in:
Jeffrey Altman
2016-04-18 23:10:48 -05:00
parent bc20b5fad0
commit a234ee5265
3 changed files with 32 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/windows/assembly/NTMakefile
View File

@@ -96,6 +96,7 @@ $(ASMKRBDIR)\$(ASMKRBNAME).cat: $(ASMKRBDIR)\$(ASMKRBMAN).cdf
cd $(ASMKRBDIR) cd $(ASMKRBDIR)
$(MAKECAT) $** $(MAKECAT) $**
$(_CODESIGN) $(_CODESIGN)
$(_CODESIGN_SHA256)
cd $(SRCDIR) cd $(SRCDIR)
asm-krb: \ asm-krb: \
@@ -170,6 +171,7 @@ $(POLKRBCAT): $(POLKRBFILE).cdf
cd $(POLKRBDIR) cd $(POLKRBDIR)
$(MAKECAT) $** $(MAKECAT) $**
$(_CODESIGN) $(_CODESIGN)
$(_CODESIGN_SHA256)
cd $(SRCDIR) cd $(SRCDIR)
all:: $(POLKRBFILE) $(POLKRBCAT) all:: $(POLKRBFILE) $(POLKRBCAT)

17
windows/NTMakefile.w32
View File

@@ -500,6 +500,7 @@ _VC_MANIFEST_CLEAN= \
!ifdef CODESIGN !ifdef CODESIGN
_CODESIGN=( $(CODESIGN) $@ ) _CODESIGN=( $(CODESIGN) $@ )
_CODESIGN_SHA256=( $(CODESIGN_SHA256) $@ )
!else !else
!ifndef SIGNTOOL !ifndef SIGNTOOL
@@ -509,10 +510,14 @@ SIGNTOOL=signtool.exe
!ifdef SIGNTOOL_C !ifdef SIGNTOOL_C
!ifndef SIGNTOOL_T !ifndef SIGNTOOL_T
SIGNTOOL_T=/t http://timestamp.verisign.com/scripts/timstamp.dll SIGNTOOL_T=http://timestamp.verisign.com/scripts/timstamp.dll
!endif
!ifndef SIGNTOOL_T_SHA256
SIGNTOOL_T_SHA256=http://timestamp.geotrust.com/tsa
!endif !endif
_CODESIGN=( $(SIGNTOOL) sign $(SIGNTOOL_O) $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ ) _CODESIGN=( $(SIGNTOOL) sign /fd sha1 $(SIGNTOOL_O) /t $(SIGNTOOL_T) $(SIGNTOOL_C) /v $@ )
_CODESIGN_SHA256=( $(SIGNTOOL) sign /as /fd sha256 $(SIGNTOOL_O) /tr $(SIGNTOOL_T_SHA256) $(SIGNTOOL_C) /v $@ )
!else !else
_CODESIGN=( echo Skipping code sign ) _CODESIGN=( echo Skipping code sign )
!endif !endif
@@ -546,22 +551,22 @@ SYMSTORE_IMPORT=@echo No symbol store
# prepare binaries. # prepare binaries.
EXEPREP=\ EXEPREP=\
( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) ( $(_VC_MANIFEST_EMBED_EXE) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
EXEPREP_NOHEIM=\ EXEPREP_NOHEIM=\
( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) ( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
EXEPREP_NODIST=\ EXEPREP_NODIST=\
( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) ( $(_VC_MANIFEST_EMBED_EXE_NOHEIM) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 )
DLLPREP=\ DLLPREP=\
( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) ( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
DLLPREP_NODIST=\ DLLPREP_NODIST=\
( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 ) ( $(_VC_MANIFEST_EMBED_DLL) && $(_VC_MANIFEST_CLEAN) && $(SYMSTORE_IMPORT) ) || ( $(RM) $@ && exit /b 1 )
DLLPREP_MERGE=\ DLLPREP_MERGE=\
( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) ) || ( $(RM) $@ && exit /b 1 ) ( ( $(_MERGE_MANIFEST_DLL) || $(_INSERT_APPMANIFEST_DLL) && $(SYMSTORE_IMPORT) ) && $(_CODESIGN) && $(_CODESIGN_SHA256) ) || ( $(RM) $@ && exit /b 1 )
#---------------------------------------------------------------------- #----------------------------------------------------------------------
# Convenience macros for import libraries and assemblies # Convenience macros for import libraries and assemblies

24
windows/README.md
View File

@@ -35,13 +35,16 @@ work, but have not been tested.
(Required for running tests). These can be found in the Cygwin (Required for running tests). These can be found in the Cygwin
distribution. MinGW or GnuWin32 may also be used instead of Cygwin. distribution. MinGW or GnuWin32 may also be used instead of Cygwin.
However, a recent build of `makeinfo` is required for building the However, a recent build of `makeinfo` is required for building the
documentation. documentation. Cygwin makeinfo 4.7 is known to work.
* __Certificate for code-signing__: The Heimdal build produces a * __Certificate for code-signing__: The Heimdal build produces a
number of Assemblies that should be signed if they are to be number of Assemblies that should be signed if they are to be
installed via Windows Installer. In addition, all executable installed via Windows Installer. In addition, all executable
binaries produced by the build including installers can be signed binaries produced by the build including installers can be signed
and timestamped if a code-signing certificate is available. and timestamped if a code-signing certificate is available.
As of 1 January 2016 Windows 7 and above require the use of sha256
signatures. The signtool.exe provided with Windows SDK 8.1 or
later must be used.
[1]: http://wix.sourceforge.net/ [1]: http://wix.sourceforge.net/
@@ -82,23 +85,34 @@ work, but have not been tested.
set SIGNTOOL_C=/f c:\mycerts\codesign.pfx set SIGNTOOL_C=/f c:\mycerts\codesign.pfx
set SIGNTOOL_C=/n "Certificate Subject Name" /a
- `SIGNTOOL_O`: Signing parameter options for `signtool`. Optional. - `SIGNTOOL_O`: Signing parameter options for `signtool`. Optional.
E.g.: E.g.:
set SIGNTOOL_O=/du http://example.com/myheimdal set SIGNTOOL_O=/du http://example.com/myheimdal
- `SIGNTOOL_T`: Timestamp options for `signtool`. If not specified, - `SIGNTOOL_T`: SHA1 Timestamp URL for `signtool`. If not specified,
defaults to `/t http://timestamp.verisign.com/scripts/timstamp.dll`. defaults to `http://timestamp.verisign.com/scripts/timstamp.dll`.
- `CODESIGN`: Code signer command. This environment variable, if - `SIGNTOOL_T_SHA256`: SHA256 Timestamp URL for `signtool`. If not
specified, defaults to `http://timestamp.geotrust.com/tsa`.
- `CODESIGN`: SHA1 Code signer command. This environment variable, if
defined, overrides the `SIGNTOOL_*` variables. It should be defined, overrides the `SIGNTOOL_*` variables. It should be
defined to be a command that takes one parameter: the binary to be defined to be a command that takes one parameter: the binary to be
signed. signed.
- `CODESIGN_SHA256`: SHA256 Code signer command. This environment variable, if
defined, applies a second SHA256 signature to the parameter. It should be
defined to be a command that takes one parameter: the binary to be
signed.
E.g.: E.g.:
set CODESIGN=c:\scripts\mycodesigner.cmd set CODESIGN=c:\scripts\mycodesigner.cmd
set CODESIGN_SHA256=c:\scripts\mycodesigner256.cmd
* Define the code sign public key token. This is contained in the * Define the code sign public key token. This is contained in the
environment variable `CODESIGN_PKT` and is needed to build the environment variable `CODESIGN_PKT` and is needed to build the
@@ -134,7 +148,7 @@ The build can also be invoked from any subdirectory that contains an
inter-dependencies between directories and therefore it is recommended inter-dependencies between directories and therefore it is recommended
that a full build be invoked from the root of the source tree. that a full build be invoked from the root of the source tree.
Tests can be invoked as: Tests can be invoked, after a full build, by executing:
nmake /f NTMakefile test nmake /f NTMakefile test