From cc83a29121707f51a7eb8ff11c7eee7a7a575acf Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Tue, 2 Aug 2016 16:22:43 +0200
Subject: Add support for signing the resulting MSI installer on Windows

Test-Information:

Created a custom CA and added it as trusted to the system.
Created a signing certificate and passed it to scons as
described. The resulting installer does not show a red UAC
dialog anymore during installation. Instead the publisher from
the certificate is shown in a blue UAC dialog.

Change-Id: Ie4043520f6d45ec2e7aad712441a928cb423b0de

diff --git a/BuildTools/SCons/SConscript.boot b/BuildTools/SCons/SConscript.boot
index f845159..597690d 100644
--- a/BuildTools/SCons/SConscript.boot
+++ b/BuildTools/SCons/SConscript.boot
@@ -104,7 +104,12 @@ vars.Add(BoolVariable("unbound", "Build bundled ldns and unbound. Use them for D
 vars.Add(BoolVariable("check_headers", "Independently build compilation units for all Swiften headers for detecting missing dependencies.", "no"))
 vars.Add("win_target_arch", "Target architecture for Windows builds. x86 for 32-bit (default) or x86_64 for 64-bit.", "x86")
 vars.Add(BoolVariable("install_git_hooks", "Install git hooks", "true"))
+
+# Code Signing Options
 vars.Add("codesign_identity", "macOS code signing identity to be passed to codesign when building the distribution package. Must match the Commen Name of the Subject of the code signing certificate.", "")
+vars.Add("signtool_key_pfx", "The keyfile (.pfx) that will be used to sign the Windows installer.", None)
+vars.Add("signtool_timestamp_url", "The timestamp server that will be queried for a signed time stamp in the signing process.", None)
+
 
 ################################################################################
 # Set up default build & configure environment
@@ -374,6 +379,9 @@ if env["PLATFORM"] == "hpux" :
 # Code signing
 if env["PLATFORM"] == "darwin" :
     env["CODE_SIGN_IDENTITY"] = env["codesign_identity"]
+if env["PLATFORM"] == "win32" :
+    env["SIGNTOOL_KEY_PFX"] = env.get("signtool_key_pfx", None)
+    env["SIGNTOOL_TIMESTAMP_URL"] = env.get("signtool_timestamp_url", None)
 
 # Testing
 env["TEST_TYPE"] = env["test"]
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 2447853..2b8ca99 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -59,6 +59,9 @@ scons
 scons dist=1
 ```
 
+To sign the resulting MSI file, append the `signtool_key_pfx` and `signtool_timestamp_url` parameters to the `scons dist=1` programm call, e.g.
+`scons dist=1 signtool_key_pfx=C:\Users\Swift\SwiftSPC.pfx signtool_timestamp_url=http://timestamp.verisign.com/scripts/timstamp.dll`.
+
 Notes:
 - The settings `debug = 1` and `optimize = 1` are **strictly required** if you use a precompiled Qt release from the Qt Project; otherwise you will get linker errors
 - On 64-bit Windows it's "Program Files (x86)" instead of "Program Files" in the
diff --git a/Swift/QtUI/SConscript b/Swift/QtUI/SConscript
index 7e2aafe..403de5e 100644
--- a/Swift/QtUI/SConscript
+++ b/Swift/QtUI/SConscript
@@ -447,7 +447,12 @@ if env["PLATFORM"] == "win32" :
             myenv.WiX_Heat('..\\Packaging\\WiX\\gen_files.wxs', windowsBundleFiles + copying)
             myenv.WiX_Candle('..\\Packaging\\WiX\\Swift.wixobj', '..\\Packaging\\WiX\\Swift.wxs')
             myenv.WiX_Candle('..\\Packaging\\WiX\\gen_files.wixobj', '..\\Packaging\\WiX\\gen_files.wxs')
-            myenv.WiX_Light('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.msi', ['..\\Packaging\\WiX\\gen_files.wixobj','..\\Packaging\\WiX\\Swift.wixobj'])
+            lightTask = myenv.WiX_Light('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.msi', ['..\\Packaging\\WiX\\gen_files.wixobj','..\\Packaging\\WiX\\Swift.wixobj'])
+            if myenv.get("SIGNTOOL_KEY_PFX", None) and myenv.get("SIGNTOOL_TIMESTAMP_URL", None) :
+                def signToolAction(target = None, source = None, env = None):
+                    env.Execute('signtool.exe sign /fd SHA256 /f "${SIGNTOOL_KEY_PFX}" /t "${SIGNTOOL_TIMESTAMP_URL}" ' + str(target[0]))
+
+                myenv.AddPostAction(lightTask, signToolAction)
 
             if myenv["debug"] :
                 myenv.InstallAs('#/Packages/Swift/Swift-' + myenv["SWIFT_VERSION"] + '.pdb', "Swift.pdb")
-- 
cgit v0.10.2-6-g49f6