From cc83a29121707f51a7eb8ff11c7eee7a7a575acf Mon Sep 17 00:00:00 2001 From: Tobias Markmann Date: Tue, 2 Aug 2016 16:22:43 +0200 Subject: Add support for signing the resulting MSI installer on Windows Test-Information: Created a custom CA and added it as trusted to the system. Created a signing certificate and passed it to scons as described. The resulting installer does not show a red UAC dialog anymore during installation. Instead the publisher from the certificate is shown in a blue UAC dialog. Change-Id: Ie4043520f6d45ec2e7aad712441a928cb423b0de diff --git a/BuildTools/SCons/SConscript.boot b/BuildTools/SCons/SConscript.boot index f845159..597690d 100644 --- a/BuildTools/SCons/SConscript.boot +++ b/BuildTools/SCons/SConscript.boot @@ -104,7 +104,12 @@ vars.Add(BoolVariable("unbound", "Build bundled ldns and unbound. Use them for D vars.Add(BoolVariable("check_headers", "Independently build compilation units for all Swiften headers for detecting missing dependencies.", "no")) vars.Add("win_target_arch", "Target architecture for Windows builds. x86 for 32-bit (default) or x86_64 for 64-bit.", "x86") vars.Add(BoolVariable("install_git_hooks", "Install git hooks", "true")) + +# Code Signing Options vars.Add("codesign_identity", "macOS code signing identity to be passed to codesign when building the distribution package. Must match the Commen Name of the Subject of the code signing certificate.", "") +vars.Add("signtool_key_pfx", "The keyfile (.pfx) that will be used to sign the Windows installer.", None) +vars.Add("signtool_timestamp_url", "The timestamp server that will be queried for a signed time stamp in the signing process.", None) + ################################################################################ # Set up default build & configure environment @@ -374,6 +379,9 @@ if env["PLATFORM"] == "hpux" : # Code signing if env["PLATFORM"] == "darwin" : env["CODE_SIGN_IDENTITY"] = env["codesign_identity"] +if env["PLATFORM"] == "win32" : + env["SIGNTOOL_KEY_PFX"] = env.get("signtool_key_pfx", None) + env["SIGNTOOL_TIMESTAMP_URL"] = env.get("signtool_timestamp_url", None) # Testing env["TEST_TYPE"] = env["test"] diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 2447853..2b8ca99 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -59,6 +59,9 @@ scons scons dist=1 ``` +To sign the resulting MSI file, append the `signtool_key_pfx` and `signtool_timestamp_url` parameters to the `scons dist=1` programm call, e.g. +`scons dist=1 signtool_key_pfx=C:\Users\Swift\SwiftSPC.pfx signtool_timestamp_url=http://timestamp.verisign.com/scripts/timstamp.dll`. + Notes: - The settings `debug = 1` and `optimize = 1` are **strictly required** if you use a precompiled Qt release from the Qt Project; otherwise you will get linker errors - On 64-bit Windows it's "Program Files (x86)" instead of "Program Files" in the diff --git a/Swift/QtUI/SConscript b/Swift/QtUI/SConscript index 7e2aafe..403de5e 100644 --- a/Swift/QtUI/SConscript +++ b/Swift/QtUI/SConscript @@ -447,7 +447,12 @@ if env["PLATFORM"] == "win32" : myenv.WiX_Heat('..\\Packaging\\WiX\\gen_files.wxs', windowsBundleFiles + copying) myenv.WiX_Candle('..\\Packaging\\WiX\\Swift.wixobj', '..\\Packaging\\WiX\\Swift.wxs') myenv.WiX_Candle('..\\Packaging\\WiX\\gen_files.wixobj', '..\\Packaging\\WiX\\gen_files.wxs') - myenv.WiX_Light('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.msi', ['..\\Packaging\\WiX\\gen_files.wixobj','..\\Packaging\\WiX\\Swift.wixobj']) + lightTask = myenv.WiX_Light('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.msi', ['..\\Packaging\\WiX\\gen_files.wixobj','..\\Packaging\\WiX\\Swift.wixobj']) + if myenv.get("SIGNTOOL_KEY_PFX", None) and myenv.get("SIGNTOOL_TIMESTAMP_URL", None) : + def signToolAction(target = None, source = None, env = None): + env.Execute('signtool.exe sign /fd SHA256 /f "${SIGNTOOL_KEY_PFX}" /t "${SIGNTOOL_TIMESTAMP_URL}" ' + str(target[0])) + + myenv.AddPostAction(lightTask, signToolAction) if myenv["debug"] : myenv.InstallAs('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.pdb', "Swift.pdb") -- cgit v0.10.2-6-g49f6