diff options
author | Werner Koch <wk@gnupg.org> | 2024-04-25 10:59:14 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2024-04-25 11:00:18 +0200 |
commit | d3b41e76119c0ecad6671ceaa6d06dbd0d710f8d (patch) | |
tree | 47b8b45330cfc5ab75110ca4394b4bc2575b52b3 | |
parent | agent:kem: Fix memory leaks. (diff) | |
download | gnupg2-d3b41e76119c0ecad6671ceaa6d06dbd0d710f8d.tar.xz gnupg2-d3b41e76119c0ecad6671ceaa6d06dbd0d710f8d.zip |
Install the new gpg-authcode-sign.sh script.
* tools/gpg-authcode-sign.sh: New.
* tools/Makefile.am (bin_SCRIPTS): Add that tool.
--
This script makes use of gpg anyway and thus it is best to have it
also installed with the gpg version used to cross-build our software.
The script was orginally developed for gpg4win.
-rw-r--r-- | tools/Makefile.am | 1 | ||||
-rw-r--r-- | tools/gpg-authcode-sign.sh | 257 |
2 files changed, 258 insertions, 0 deletions
diff --git a/tools/Makefile.am b/tools/Makefile.am index 769a81a00..822c42a4f 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -54,6 +54,7 @@ endif AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS) sbin_SCRIPTS = addgnupghome applygnupgdefaults +bin_SCRIPTS = gpg-authcode-sign.sh if BUILD_WKS_TOOLS gpg_wks_server = gpg-wks-server diff --git a/tools/gpg-authcode-sign.sh b/tools/gpg-authcode-sign.sh new file mode 100644 index 000000000..0f6a34824 --- /dev/null +++ b/tools/gpg-authcode-sign.sh @@ -0,0 +1,257 @@ +#!/bin/sh +# gpg-authcode-sign.sh - Wrapper for osslsigncode +# Copyright (C) 2024 g10 Code GmbH +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +VERSION=2024-03-25 +PGM=gpg-authcode-sign.sh + +set -e + +usage() +{ + cat <<EOF +Usage: $PGM [OPTIONS] FILE_TO_SIGN SIGNED_FILE +Options: + [--desc=STRING] Include STRING as description (default=$url) + [--url=STRING] Include STRING as URL (default=$desc) + [--stamp] Use a stamp file to avoid double signing + [--dry-run] Do not actually run osslsigncode + [--template] Print a template for ~/.gnupg-autogenrc + [--version] Print version and exit +EOF + exit $1 +} + + +# The information required to sign the tarballs and binaries +# are expected in the developer specific file ~/.gnupg-autogen.rc". +# Here is an example: +print_autogenrc_template() +{ +cat <<EOF +# Location of the released tarball archives. Note that this is an +# internal archive and before uploading this to the public server, +# manual tests should be run and the git release tagged and pushed. +# This is greped by the Makefile. +RELEASE_ARCHIVE=foo@somehost:tarball-archive + +# The key used to sign the GnuPG sources. +# This is greped by the Makefile. +RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA + +# The key used to sign the VERSION files of some MSI installers. +VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208 + +# For signing Windows binaries we need to employ a Windows machine. +# We connect to this machine via ssh and take the connection +# parameters via .ssh/config. For example a VM could be specified +# like this: +# +# Host authenticode-signhost +# HostName localhost +# Port 27042 +# User gpgsign +# +# Depending on the used token it might be necessary to allow single +# signon and unlock the token before running the make. The following +# variable references this entry. This is greped by the Makefile. +# To enable this use authenticode-signhost as value. +AUTHENTICODE_SIGNHOST= + +# The name of the signtool as used on Windows. +# This is greped by the Makefile. +AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" + +# The URL for the timestamping service +AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced + +# To use osslsigncode the follwing entries are required and +# an empty string must be given for AUTHENTICODE_SIGNHOST. +# They are greped by the Makefile. For example: +#AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12 +#AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem + +# If a smartcard is used for the Authenticode signature these +# entries are required instead (remove comment). +#AUTHENTICODE_KEY=card +AUTHENTICODE_CERTS=/home/foo/.gnupg/my_authenticode_cert.pem +OSSLSIGNCODE=/usr/bin/osslsigncode +OSSLPKCS11ENGINE=/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so +SCUTEMODULE=/usr/local/lib/scute.so + +# Signing can also be disabled: +AUTHENTICODE_KEY=none + +# +EOF +} + + +autogenrc="$HOME/.gnupg-autogen.rc" +dryrun= +stamp= +buildtype= +# Set defaults accrding to our build system. +if [ -n "$abs_top_srcdir" -a -f "$abs_top_srcdir/packages/BUILDTYPE" ]; then + buildtype=$(cat "$abs_top_srcdir/packages/BUILDTYPE") +elif [ -f "../packages/BUILDTYPE" ]; then + buildtype=$(cat "../packages/BUILDTYPE") +elif [ -f "packages/BUILDTYPE" ]; then + buildtype=$(cat "packages/BUILDTYPE") +fi +case "$buildtype" in + vsd) + desc="GnuPG VS-Desktop" + url="https://gnupg.com" + ;; + gpd) + desc="GnuPG Desktop" + url="https://gnupg.com" + ;; + default|gpg4win) + desc="Gpg4win" + url="https://gpg4win.org" + ;; + *) + desc="GnuPG" + url="https://gnupg.org" + ;; +esac + +while [ $# -gt 0 ]; do + case "$1" in + --*=*) + optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` + ;; + *) + optarg="" + ;; + esac + + case $1 in + --desc=*) + desc="$optarg" + ;; + --url=*) + url="$optarg" + ;; + --dry-run|-n) + dryrun=yes + ;; + --stamp) + stamp=yes + ;; + --help|-h) + usage 0 + ;; + --version) + echo $VERSION + exit 0 + ;; + --template) + print_autogenrc_template + exit 0 + ;; + --*) + usage 1 1>&2 + ;; + *) + break + ;; + esac + shift +done + +if [ $# -ne 2 ]; then + usage 1 1>&2 +fi +inname="$1" +outname="$2" +shift + +if [ ! -f $autogenrc ]; then + echo >&2 "$PGM: error: '$autogenrc' missing" + echo >&2 "$PGM: hint: use option --template" + exit 1 +fi + + +for v in AUTHENTICODE_SIGNHOST AUTHENTICODE_TOOL AUTHENTICODE_TSURL \ + AUTHENTICODE_KEY AUTHENTICODE_CERTS VERSION_SIGNKEY \ + OSSLSIGNCODE OSSLPKCS11ENGINE SCUTEMODULE ; do + eval $v=$(grep '^[[:blank:]]*'$v'[[:blank:]]*=' "$autogenrc"|cut -d= -f2\ + |sed -e 's,\\,\\\\,g'| sed -e 's,^",'\', -e 's,"$,'\',) +done + + +if [ "$stamp" = yes ]; then + if [ "$outname.asig-done" -nt "$outname" ]; then + echo >&2 "$PGM: file is '$outname' is already signed" + exit 0 + fi +fi + +if [ -n "$dryrun" ]; then + + echo >&2 "$PGM: would sign: '$inname' to '$outname'" + +elif [ -n "$AUTHENTICODE_SIGNHOST" ]; then + + echo >&2 "$PGM: Signing via host $AUTHENTICODE_SIGNHOST" + + scp "$inname" "$AUTHENTICODE_SIGNHOST:a.exe" + # Invoke command on Windows via ssh + ssh "$AUTHENTICODE_SIGNHOST" \""$AUTHENTICODE_TOOL"\" sign \ + /v /sm \ + /a /n '"g10 Code GmbH"' \ + /tr \""$AUTHENTICODE_TSURL"\" /td sha256 \ + /d \""$desc"\" \ + /fd sha256 /du https://gnupg.com a.exe + scp "$AUTHENTICODE_SIGNHOST:a.exe" "$outname" + +elif [ "$AUTHENTICODE_KEY" = card ]; then + + echo >&2 "$PGM: Signing using a card: '$inname'" + + "$OSSLSIGNCODE" sign \ + -pkcs11engine "$OSSLPKCS11ENGINE" \ + -pkcs11module "$SCUTEMODULE" \ + -certs "$AUTHENTICODE_CERTS" \ + -h sha256 -n "$desc" -i "$url" \ + -ts "$AUTHENTICODE_TSURL" \ + -in "$inname" -out "$outname.tmp" + cp "$outname.tmp" "$outname" + rm "$outname.tmp" + +elif [ "$AUTHENTICODE_KEY" = none ]; then + + echo >&2 "$PGM: Signing disabled; would sign: '$inname'" + [ "$inname" != "$outname" ] && cp "$inname" "$outname" + +else + + echo >&2 "$PGM: Signing using key $AUTHENTICODE_KEY" + osslsigncode sign -certs "$AUTHENTICODE_CERTS" \ + -pkcs12 "$AUTHENTICODE_KEY" -askpass \ + -ts "$AUTHENTICODE_TSURL" \ + -h sha256 -n "$desc" -i "$url" \ + -in "$inname" -out "$outname.tmp" + cp "$outname.tmp" "$outname" + rm "$outname.tmp" + +fi + +if [ -z "$dryrun" ]; then + [ "$stamp" = yes ] && touch "$outname.asig-done" + echo >&2 "$PGM: signed file is '$outname'" +fi + +# eof |