build: Sign all Windows binaries.

* build-aux/speedo.mk (AUTHENTICODE_SIGNHOST): New.
(AUTHENTICODE_TOOL): New.
(AUTHENTICODE_FILES): New.
(installer): Sign listed files.
(AUTHENTICODE_SIGNHOST): New macro.
(sign-installer): Use that macro instead of direct use of osslsigncode.
--

This also adds code to support signing via a Token.  Because there is
no specification of that token, I was not able to write a free driver
for it.  Thus we resort to use a running Windows-10 instance with an
enabled ssh server to do the code signing.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e6901c2bc802996c24335bcb35012ccb74b4ced0)

1 files changed, 71 insertions, 7 deletions

diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index 569940099..92340a370 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -157,9 +157,41 @@ INST_NAME=gnupg-w32
 # Use this to override the installaion directory for native builds.
 INSTALL_PREFIX=none
 
-# The Authenticode key and cert chain used to sign the Windows installer
+# The Authenticode key and cert chain used to sign the Windows
+# installer If AUTHENTICODE_SIGNHOST is specified, signing is done on
+# that host using the Windows signtool.  The signhost is usually an
+# entry in .ssh/config.  Depending on the used token it might be
+# necessary to allow single signon and unlock the token before running
+# this makefile.  All files given in AUTHENTICODE_FILES are signed
+# before they are put into the installer.
+AUTHENTICODE_SIGNHOST=authenticode-signhost
+AUTHENTICODE_TOOL='"C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"'
 AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
 AUTHENTICODE_CERTS=${HOME}/.gnupg/g10code-authenticode-certs.pem
+AUTHENTICODE_FILES= \
+                    dirmngr.exe               \
+                    dirmngr_ldap.exe          \
+                    gpg-agent.exe             \
+                    gpg-connect-agent.exe     \
+                    gpg-preset-passphrase.exe \
+                    gpg-wks-client.exe        \
+                    gpg.exe                   \
+                    gpgconf.exe               \
+                    gpgme-w32spawn.exe        \
+                    gpgsm.exe                 \
+                    gpgtar.exe                \
+                    gpgv.exe                  \
+                    libassuan-0.dll           \
+                    libgcrypt-20.dll          \
+                    libgpg-error-0.dll        \
+                    libgpgme-11.dll           \
+                    libksba-8.dll             \
+                    libnpth-0.dll             \
+                    libsqlite3-0.dll          \
+                    pinentry-w32.exe          \
+                    scdaemon.exe	      \
+                    zlib1.dll
+
 
 
 # Directory names.
@@ -1211,7 +1243,22 @@ ifeq ($(WITH_GUI),1)
 extra_installer_options += -DWITH_GUI=1
 endif
 
+# Note that we sign only when doing the final installer.
 installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
+	(set -e;\
+	 cd "$(idir)"; \
+	 if echo "$(idir)" | grep -q '/PLAY-release/' ; then \
+	   for f in $(AUTHENTICODE_FILES); do \
+             if [ -f "bin/$$f" ]; then \
+	       $(call AUTHENTICODE_sign,"bin/$$f","bin/$$f");\
+	     elif [ -f "libexec/$$f" ]; then \
+	       $(call AUTHENTICODE_sign,"libexec/$$f","libexec/$$f");\
+	     else \
+	       echo "speedo: WARNING: file '$$f' not available for signing";\
+             fi;\
+           done; \
+         fi \
+        )
 	(nsis3_args=$$(makensis -version | grep -q "^v3" && \
                   echo "-INPUTCHARSET CP1252"); \
 	$(MAKENSIS) -V2 $$nsis3_args \
@@ -1239,6 +1286,28 @@ define MKSWDB_commands
  ) | tee $(1).swdb
 endef
 
+# Sign the file $1 and save the result as $2
+define AUTHENTICODE_sign
+   set -e;\
+   if [ -n "$(AUTHENTICODE_SIGNHOST)" ]; then \
+     echo "speedo: Signing via host $(AUTHENTICODE_SIGNHOST)";\
+     scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
+     ssh "$(AUTHENTICODE_SIGNHOST)" $(AUTHENTICODE_TOOL) sign \
+        /n '"g10 Code GmbH"' \
+        /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
+        /fd sha256 /du https://gnupg.org a.exe ;\
+     scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
+     echo "speedo: signed file is '$(2)'" ;\
+   else \
+     echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
+     osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
+       -pkcs12 $(AUTHENTICODE_KEY) -askpass \
+       -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
+       -h sha256 -n GnuPG -i https://gnupg.org \
+       -in $(1) -out $(2) ;\
+   fi
+endef
+
 
 # Build the installer from the source tarball.
 installer-from-source: dist-source
@@ -1267,13 +1336,8 @@ sign-installer:
 	 exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
 	 echo "speedo: /*" ;\
 	 echo "speedo:  * Signing installer" ;\
-	 echo "speedo:  * Key: $(AUTHENTICODE_KEY)";\
 	 echo "speedo:  */" ;\
-	 osslsigncode sign -certs $(AUTHENTICODE_CERTS)\
-            -pkcs12 $(AUTHENTICODE_KEY) -askpass \
-            -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
-            -h sha256 -n GnuPG -i https://gnupg.org \
-	    -in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
+	 $(call AUTHENTICODE_sign,"PLAY/inst/$$exefile","../../$$exefile");\
 	 exefile="../../$$exefile" ;\
 	 $(call MKSWDB_commands,$${exefile},$${reldate}); \
 	 echo "speedo: /*" ;\