summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2024-04-25 10:59:14 +0200
committerWerner Koch <wk@gnupg.org>2024-04-25 11:00:18 +0200
commitd3b41e76119c0ecad6671ceaa6d06dbd0d710f8d (patch)
tree47b8b45330cfc5ab75110ca4394b4bc2575b52b3
parentagent:kem: Fix memory leaks. (diff)
downloadgnupg2-d3b41e76119c0ecad6671ceaa6d06dbd0d710f8d.tar.xz
gnupg2-d3b41e76119c0ecad6671ceaa6d06dbd0d710f8d.zip
Install the new gpg-authcode-sign.sh script.
* tools/gpg-authcode-sign.sh: New. * tools/Makefile.am (bin_SCRIPTS): Add that tool. -- This script makes use of gpg anyway and thus it is best to have it also installed with the gpg version used to cross-build our software. The script was orginally developed for gpg4win.
-rw-r--r--tools/Makefile.am1
-rw-r--r--tools/gpg-authcode-sign.sh257
2 files changed, 258 insertions, 0 deletions
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 769a81a00..822c42a4f 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -54,6 +54,7 @@ endif
AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
sbin_SCRIPTS = addgnupghome applygnupgdefaults
+bin_SCRIPTS = gpg-authcode-sign.sh
if BUILD_WKS_TOOLS
gpg_wks_server = gpg-wks-server
diff --git a/tools/gpg-authcode-sign.sh b/tools/gpg-authcode-sign.sh
new file mode 100644
index 000000000..0f6a34824
--- /dev/null
+++ b/tools/gpg-authcode-sign.sh
@@ -0,0 +1,257 @@
+#!/bin/sh
+# gpg-authcode-sign.sh - Wrapper for osslsigncode
+# Copyright (C) 2024 g10 Code GmbH
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+VERSION=2024-03-25
+PGM=gpg-authcode-sign.sh
+
+set -e
+
+usage()
+{
+ cat <<EOF
+Usage: $PGM [OPTIONS] FILE_TO_SIGN SIGNED_FILE
+Options:
+ [--desc=STRING] Include STRING as description (default=$url)
+ [--url=STRING] Include STRING as URL (default=$desc)
+ [--stamp] Use a stamp file to avoid double signing
+ [--dry-run] Do not actually run osslsigncode
+ [--template] Print a template for ~/.gnupg-autogenrc
+ [--version] Print version and exit
+EOF
+ exit $1
+}
+
+
+# The information required to sign the tarballs and binaries
+# are expected in the developer specific file ~/.gnupg-autogen.rc".
+# Here is an example:
+print_autogenrc_template()
+{
+cat <<EOF
+# Location of the released tarball archives. Note that this is an
+# internal archive and before uploading this to the public server,
+# manual tests should be run and the git release tagged and pushed.
+# This is greped by the Makefile.
+RELEASE_ARCHIVE=foo@somehost:tarball-archive
+
+# The key used to sign the GnuPG sources.
+# This is greped by the Makefile.
+RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
+
+# The key used to sign the VERSION files of some MSI installers.
+VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208
+
+# For signing Windows binaries we need to employ a Windows machine.
+# We connect to this machine via ssh and take the connection
+# parameters via .ssh/config. For example a VM could be specified
+# like this:
+#
+# Host authenticode-signhost
+# HostName localhost
+# Port 27042
+# User gpgsign
+#
+# Depending on the used token it might be necessary to allow single
+# signon and unlock the token before running the make. The following
+# variable references this entry. This is greped by the Makefile.
+# To enable this use authenticode-signhost as value.
+AUTHENTICODE_SIGNHOST=
+
+# The name of the signtool as used on Windows.
+# This is greped by the Makefile.
+AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
+
+# The URL for the timestamping service
+AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced
+
+# To use osslsigncode the follwing entries are required and
+# an empty string must be given for AUTHENTICODE_SIGNHOST.
+# They are greped by the Makefile. For example:
+#AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12
+#AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem
+
+# If a smartcard is used for the Authenticode signature these
+# entries are required instead (remove comment).
+#AUTHENTICODE_KEY=card
+AUTHENTICODE_CERTS=/home/foo/.gnupg/my_authenticode_cert.pem
+OSSLSIGNCODE=/usr/bin/osslsigncode
+OSSLPKCS11ENGINE=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
+SCUTEMODULE=/usr/local/lib/scute.so
+
+# Signing can also be disabled:
+AUTHENTICODE_KEY=none
+
+#
+EOF
+}
+
+
+autogenrc="$HOME/.gnupg-autogen.rc"
+dryrun=
+stamp=
+buildtype=
+# Set defaults accrding to our build system.
+if [ -n "$abs_top_srcdir" -a -f "$abs_top_srcdir/packages/BUILDTYPE" ]; then
+ buildtype=$(cat "$abs_top_srcdir/packages/BUILDTYPE")
+elif [ -f "../packages/BUILDTYPE" ]; then
+ buildtype=$(cat "../packages/BUILDTYPE")
+elif [ -f "packages/BUILDTYPE" ]; then
+ buildtype=$(cat "packages/BUILDTYPE")
+fi
+case "$buildtype" in
+ vsd)
+ desc="GnuPG VS-Desktop"
+ url="https://gnupg.com"
+ ;;
+ gpd)
+ desc="GnuPG Desktop"
+ url="https://gnupg.com"
+ ;;
+ default|gpg4win)
+ desc="Gpg4win"
+ url="https://gpg4win.org"
+ ;;
+ *)
+ desc="GnuPG"
+ url="https://gnupg.org"
+ ;;
+esac
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --*=*)
+ optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'`
+ ;;
+ *)
+ optarg=""
+ ;;
+ esac
+
+ case $1 in
+ --desc=*)
+ desc="$optarg"
+ ;;
+ --url=*)
+ url="$optarg"
+ ;;
+ --dry-run|-n)
+ dryrun=yes
+ ;;
+ --stamp)
+ stamp=yes
+ ;;
+ --help|-h)
+ usage 0
+ ;;
+ --version)
+ echo $VERSION
+ exit 0
+ ;;
+ --template)
+ print_autogenrc_template
+ exit 0
+ ;;
+ --*)
+ usage 1 1>&2
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+done
+
+if [ $# -ne 2 ]; then
+ usage 1 1>&2
+fi
+inname="$1"
+outname="$2"
+shift
+
+if [ ! -f $autogenrc ]; then
+ echo >&2 "$PGM: error: '$autogenrc' missing"
+ echo >&2 "$PGM: hint: use option --template"
+ exit 1
+fi
+
+
+for v in AUTHENTICODE_SIGNHOST AUTHENTICODE_TOOL AUTHENTICODE_TSURL \
+ AUTHENTICODE_KEY AUTHENTICODE_CERTS VERSION_SIGNKEY \
+ OSSLSIGNCODE OSSLPKCS11ENGINE SCUTEMODULE ; do
+ eval $v=$(grep '^[[:blank:]]*'$v'[[:blank:]]*=' "$autogenrc"|cut -d= -f2\
+ |sed -e 's,\\,\\\\,g'| sed -e 's,^",'\', -e 's,"$,'\',)
+done
+
+
+if [ "$stamp" = yes ]; then
+ if [ "$outname.asig-done" -nt "$outname" ]; then
+ echo >&2 "$PGM: file is '$outname' is already signed"
+ exit 0
+ fi
+fi
+
+if [ -n "$dryrun" ]; then
+
+ echo >&2 "$PGM: would sign: '$inname' to '$outname'"
+
+elif [ -n "$AUTHENTICODE_SIGNHOST" ]; then
+
+ echo >&2 "$PGM: Signing via host $AUTHENTICODE_SIGNHOST"
+
+ scp "$inname" "$AUTHENTICODE_SIGNHOST:a.exe"
+ # Invoke command on Windows via ssh
+ ssh "$AUTHENTICODE_SIGNHOST" \""$AUTHENTICODE_TOOL"\" sign \
+ /v /sm \
+ /a /n '"g10 Code GmbH"' \
+ /tr \""$AUTHENTICODE_TSURL"\" /td sha256 \
+ /d \""$desc"\" \
+ /fd sha256 /du https://gnupg.com a.exe
+ scp "$AUTHENTICODE_SIGNHOST:a.exe" "$outname"
+
+elif [ "$AUTHENTICODE_KEY" = card ]; then
+
+ echo >&2 "$PGM: Signing using a card: '$inname'"
+
+ "$OSSLSIGNCODE" sign \
+ -pkcs11engine "$OSSLPKCS11ENGINE" \
+ -pkcs11module "$SCUTEMODULE" \
+ -certs "$AUTHENTICODE_CERTS" \
+ -h sha256 -n "$desc" -i "$url" \
+ -ts "$AUTHENTICODE_TSURL" \
+ -in "$inname" -out "$outname.tmp"
+ cp "$outname.tmp" "$outname"
+ rm "$outname.tmp"
+
+elif [ "$AUTHENTICODE_KEY" = none ]; then
+
+ echo >&2 "$PGM: Signing disabled; would sign: '$inname'"
+ [ "$inname" != "$outname" ] && cp "$inname" "$outname"
+
+else
+
+ echo >&2 "$PGM: Signing using key $AUTHENTICODE_KEY"
+ osslsigncode sign -certs "$AUTHENTICODE_CERTS" \
+ -pkcs12 "$AUTHENTICODE_KEY" -askpass \
+ -ts "$AUTHENTICODE_TSURL" \
+ -h sha256 -n "$desc" -i "$url" \
+ -in "$inname" -out "$outname.tmp"
+ cp "$outname.tmp" "$outname"
+ rm "$outname.tmp"
+
+fi
+
+if [ -z "$dryrun" ]; then
+ [ "$stamp" = yes ] && touch "$outname.asig-done"
+ echo >&2 "$PGM: signed file is '$outname'"
+fi
+
+# eof