Amebis/ZRCola
Amebis/ZRCola
1
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 49 Wiki Activity

Upgrade code signing to SHA-256

Browse Source 
Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
Simon Rozman 2021-10-13 09:17:34 +02:00
parent e54e827a07
commit e173ed8aa2
4 changed files with 5 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MSI/MSICA

@ -1 +1 @@
Subproject commit ef5e73f72f57a0cc7e1e943918b1203c18839f98
Subproject commit f943510140b067645a42864a99a5e196f64cccc6

4
README.md
View File

@ -40,8 +40,8 @@ In order to have the build process digitally sign output files, one should provi
1. A signing certificate installed in the current user's certificate store.
2. The following variables in the environment:
- `ManifestCertificateThumbprint` - set the value to certificate's SHA1 thumbprint (hexadecimal, without spaces, i.e. `bc0d8da45f9eeefcbe4e334e1fc262804df88d7e`).
- `ManifestTimestampUrl` - set the value to URL used to perform timestamp signature (i.e. `http://timestamp.verisign.com/scripts/timstamp.dll`). In order to perform timestamp signing successfully, the computer running the build should be online and able to access this URL.
- `ManifestCertificateThumbprint` - set the value to certificate's SHA1 thumbprint (hexadecimal, without spaces, i.e. `f61b973226c502a732d24f41aa85e192b009e7c0`).
- `ManifestTimestampRFC3161Url` - set the value to URL used to perform RFC3161 timestamp signature (i.e. `http://time.certum.pl`). In order to perform timestamp signing successfully, the computer running the build should be online and able to access this URL.
Please note that only Release builds are configured for timestamp signing. Debug configurations do not attempt to timestamp sign the resulting DLL and EXE files in order to speed up the building process and enable offline building.

8
include/Debug.props
View File

@ -40,13 +40,7 @@
<ItemGroup />
<Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Message Text="Signing output file..." />
<!--
To make Windows XP and Vista compliant signatures, the binaries have to be signed using SHA1.
<SignFile> switches to SHA256 if the signing certificate is SHA256.
Reverted to signtool.exe until we can drop Windows XP and Vista support.
-->
<!--<SignFile CertificateThumbprint="$(ManifestCertificateThumbprint)" SigningTarget="$(OutDir)$(TargetName)$(TargetExt)" />-->
<Exec Command="signtool.exe sign /du &quot;https://www.amebis.si&quot; /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha1 /q &quot;$(TargetPath)&quot;" />
<Exec Command="signtool.exe sign /du &quot;https://www.amebis.si&quot; /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /q &quot;$(TargetPath)&quot;" />
<Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
</Target>
</Project>

8
include/Release.props
View File

@ -42,13 +42,7 @@
<ItemGroup />
<Target Name="Sign" Condition="'$(ManifestCertificateThumbprint)' != '' and ('$(ConfigurationType)' == 'Application' or '$(ConfigurationType)' == 'DynamicLibrary')" AfterTargets="_Manifest" BeforeTargets="RegisterOutput" Inputs="$(OutDir)$(TargetName)$(TargetExt)" Outputs="$(IntDir)$(TargetName).sign">
<Message Text="Signing output file..." />
<!--
To make Windows XP and Vista compliant signatures, the binaries have to be signed using SHA1.
<SignFile> switches to SHA256 if the signing certificate is SHA256.
Reverted to signtool.exe until we can drop Windows XP and Vista support.
-->
<!--<SignFile CertificateThumbprint="$(ManifestCertificateThumbprint)" TimestampUrl="$(ManifestTimestampUrl)" SigningTarget="$(OutDir)$(TargetName)$(TargetExt)" />-->
<Exec Command="signtool.exe sign /du &quot;https://www.amebis.si&quot; /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha1 /t &quot;%ManifestTimestampUrl%&quot; /q &quot;$(TargetPath)&quot;" />
<Exec Command="signtool.exe sign /sha1 &quot;%ManifestCertificateThumbprint%&quot; /fd sha256 /tr &quot;%ManifestTimestampRFC3161Url%&quot; /td sha256 /q &quot;$(TargetPath)&quot;" />
<Touch Files="$(IntDir)$(TargetName).sign" AlwaysCreate="true" />
</Target>
</Project>