Amebis/GEANTLink
Amebis/GEANTLink
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 50 Wiki Activity

Upgrade code signing

Browse Source 
This adds support for Microsoft Azure Trusted Signing and removes
signing of the Debug binaries to minimize the Trusted Signing API
volume.

Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
Simon Rozman 2024-11-19 10:30:13 +01:00
parent 2a918254f6
commit 5293dfc1a7
5 changed files with 26 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MSI/MSIBuild

@ -1 +1 @@
Subproject commit b8364dea81f39b321d726317a9dcbf6b13a455e0
Subproject commit eccce8c523c9193c1e3a627e4dd8a80cd3cd5703

BIN
MakefilePlatCfg.mak
View File

Binary file not shown.

23
README.md
View File

@ -101,14 +101,25 @@ The product compilation references wxWidgets libraries using `WXWIN` environment
### Digital Signing of Build Outputs
In order to have the build process digitally sign output files, one should provide the following:
In order to have the build process digitally sign the Release output files, one should setup either:
1. A signing certificate installed in the current users certificate store.
2. The following variables in the environment:
- `ManifestCertificateThumbprint` - set the value to certificates SHA1 thumbprint (hexadecimal, without spaces, i.e. `bc0d8da45f9eeefcbe4e334e1fc262804df88d7e`).
- `ManifestTimestampRFC3161Url` - set the value to URL used to perform RFC3161 timestamp signature (i.e. `http://sha256timestamp.ws.symantec.com/sha256/timestamp`). In order to perform timestamp signing successfully, the computer running the build should be online and able to access this URL.
- Local signing:
1. A signing certificate/hardware key
2. The following variables in the environment:
- `ManifestCertificateThumbprint` - set the value to certificates SHA1 thumbprint (hexadecimal, without spaces, e.g. `bc0d8da45f9eeefcbe4e334e1fc262804df88d7e`).
- `ManifestTimestampRFC3161Url` - set the value to URL used to perform timestamp signature (e.g. `http://sha256timestamp.ws.symantec.com/sha256/timestamp`, `http://timestamp.digicert.com` etc.). In order to perform the timestamp signing successfully, the computer running the build should be online and able to access this URL.
Please note that only Release builds are configured for timestamp signing. Debug configurations do not attempt to timestamp sign the resulting DLL and EXE files in order to speed up the building process and enable offline building.
- Microsoft Trusted Signing:
1. Install [Trusted Signing dlib package](https://www.nuget.org/packages/Microsoft.Trusted.Signing.Client):
```cmd
nuget install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x`
```
2. Provide a [`manifest.json`](https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations#create-a-json-file) file and place it at `%APPDATA%\Microsoft.Trusted.Signing.Client.json`:
```cmd
notepad "%APPDATA%\Microsoft.Trusted.Signing.Client.json"
```
Debug configurations are not digitally signed by design.
### Building

5
include/Debug.props
View File

@ -20,9 +20,4 @@
<EnableCOMDATFolding>false</EnableCOMDATFolding>
</Link>
</ItemDefinitionGroup>
<Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Message Text="Signing output file..." />
<Exec Command="signtool.exe sign /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /q &quot;$(OutDir)$(TargetName)$(TargetExt)&quot;" />
<Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
</Target>
</Project>

11
include/Release.props
View File

@ -26,9 +26,14 @@
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Message Text="Signing output file..." />
<Exec Command="signtool.exe sign /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /tr &quot;%ManifestTimestampRFC3161Url%&quot; /td sha256 /q &quot;$(OutDir)$(TargetName)$(TargetExt)&quot;" />
<Target Name="SignLocal" Condition="('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary') and '$(ManifestCertificateThumbprint)' != ''"
AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Exec Command="signtool.exe sign /sha1 &quot;$(ManifestCertificateThumbprint)&quot; /fd SHA256 /tr &quot;$(ManifestTimestampRFC3161Url)&quot; /td SHA256 /q &quot;$(TargetPath)&quot;" />
<Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
</Target>
<Target Name="SignAzure" Condition="('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary') and exists('$(APPDATA)\Microsoft.Trusted.Signing.Client.json')"
AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Exec Command="signtool.exe sign /dlib &quot;$(USERPROFILE)\.nuget\packages\microsoft.trusted.signing.client\1.0.53\bin\$(PreferredToolArchitecture)\Azure.CodeSigning.Dlib.dll&quot; /dmdf &quot;$(APPDATA)\Microsoft.Trusted.Signing.Client.json&quot; /fd SHA256 /tr &quot;http://timestamp.acs.microsoft.com&quot; /td SHA256 /q &quot;$(TargetPath)&quot;" />
<Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
</Target>
</Project>