dash/contrib/windeploy/detached-sig-create.sh

#!/bin/sh
# Copyright (c) 2014-2015 The Bitcoin Core developers
# Distributed under the MIT software license, see the accompanying
# file COPYING or http://www.opensource.org/licenses/mit-license.php.

export LC_ALL=C
if [ -z "$OSSLSIGNCODE" ]; then
  OSSLSIGNCODE=osslsigncode
fi

if [ -z "$1" ]; then
  echo "usage: $0 <osslcodesign args>"
  echo "example: $0 -key codesign.key"
  exit 1
fi

OUT=signature-win.tar.gz
SRCDIR=unsigned
WORKDIR=./.tmp
OUTDIR="${WORKDIR}/out"
OUTSUBDIR="${OUTDIR}/win"
TIMESERVER=http://timestamp.comodoca.com
CERTFILE="win-codesign.cert"

mkdir -p "${OUTSUBDIR}"
basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) | while read UNSIGNED; do
  echo Signing "${UNSIGNED}"
  "${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@"
  "${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}"
done

rm -f "${OUT}"
tar -C "${OUTDIR}" -czf "${OUT}" .
rm -rf "${WORKDIR}"
echo "Created ${OUT}"
Merge #9514: release: Windows signing script 09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0 2017-03-13 07:37:02 +01:00			`#!/bin/sh`
			`# Copyright (c) 2014-2015 The Bitcoin Core developers`
			`# Distributed under the MIT software license, see the accompanying`
			`# file COPYING or http://www.opensource.org/licenses/mit-license.php.`

Merge #13454: Make sure LC_ALL=C is set in all shell scripts 47776a958b08382d76d69b5df7beed807af168b3 Add linter: Make sure all shell scripts opt out of locale dependence using "export LC_ALL=C" (practicalswift) 3352da8da1243c03fc83ba678d2f5d193bd5a0c2 Add "export LC_ALL=C" to all shell scripts (practicalswift) Pull request description: ~~Make sure `LC_ALL=C` is set when using `grep` range expressions.~~ Make sure `LC_ALL=C` is set in all shell scripts. From the `grep(1)` documentation: > Within a bracket expression, a range expression consists of two characters separated by a hyphen. It matches any single character that sorts between the two characters, inclusive, using the locale's collating sequence and character set. For example, in the default C locale, `[a-d]` is equivalent to `[abcd]`. Many locales sort characters in dictionary order, and in these locales `[a-d]` is typically not equivalent to `[abcd]`; it might be equivalent to `[aBbCcDd]`, for example. To obtain the traditional interpretation of bracket expressions, you can use the C locale by setting the `LC_ALL` environment variable to the value C. Context: [Locale issue found when reviewing #13450](https://github.com/bitcoin/bitcoin/pull/13450/files#r194877736) Tree-SHA512: fd74d2612998f9b49ef9be24410e505d8c842716f84d085157fc7f9799d40e8a7b4969de783afcf99b7fae4f91bbb4559651f7dd6578a6a081a50bdea29f0909 2018-06-18 13:12:07 +02:00			`export LC_ALL=C`
Merge #9514: release: Windows signing script 09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0 2017-03-13 07:37:02 +01:00			`if [ -z "$OSSLSIGNCODE" ]; then`
			`OSSLSIGNCODE=osslsigncode`
			`fi`

Make shellcheck happy 2020-07-29 15:42:12 +02:00			`if [ -z "$1" ]; then`
Merge #9514: release: Windows signing script 09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0 2017-03-13 07:37:02 +01:00			`echo "usage: $0 <osslcodesign args>"`
			`echo "example: $0 -key codesign.key"`
			`exit 1`
			`fi`

			`OUT=signature-win.tar.gz`
			`SRCDIR=unsigned`
			`WORKDIR=./.tmp`
			`OUTDIR="${WORKDIR}/out"`
			`OUTSUBDIR="${OUTDIR}/win"`
			`TIMESERVER=http://timestamp.comodoca.com`
			`CERTFILE="win-codesign.cert"`

			`mkdir -p "${OUTSUBDIR}"`
partial merge #16327: scripts and tools: Update ShellCheck linter 1ac454a3844b9b8389de0f660fa9455c0efa7140 Enable ShellCheck rules (Hennadii Stepanov) Pull request description: Enable some simple ShellCheck rules. Note for reviewers: `bash` and `shellcheck` on macOS are different from ones on Ubuntu. For local tests the latest `shellcheck` version 0.6.0 should be used (see #15166). ACKs for top commit: practicalswift: utACK 1ac454a3844b9b8389de0f660fa9455c0efa7140 dongcarl: utACK 1ac454a fanquake: ACK 1ac454a3844b9b8389de0f660fa9455c0efa7140 Tree-SHA512: 8d0a3a5c09fe1a0c22120178f5e6b80f81f746f8c3356b7701ff301c117acb2edea8fe08f08fb54ed73f94b1617515fb239fa28e7ab4121f74872e6494b6f20e 2019-07-05 03:00:44 +02:00			`basename -a $(ls -1 "${SRCDIR}"/*-unsigned.exe) \| while read UNSIGNED; do`
Merge #9514: release: Windows signing script 09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0 2017-03-13 07:37:02 +01:00			`echo Signing "${UNSIGNED}"`
Merge bitcoin/bitcoin#21239: guix: Add codesignature attachment support for osx+win ee883201cf134952284632e9e9ae72bf1c8c792f guix: repro: Sort find output in libtool for gcc-8 (Carl Dong) ee0a67c32a8861eab650bf8894af06807578eba0 codesigning: Use SHA256 as digest for osslsigncode (Windows) (Carl Dong) 38eb91eb0616ed6dbe34c23e11588d130fef07f8 guix: Add codesigning functionality (Carl Dong) bac2690e6f683fcedb883fe1d32f3c33c628a141 guix: Package codesigning tools (Carl Dong) 0a2176d47767972e4cd5ed302c1dbeedece1708b guix: Reindent existing manifest.scm (Carl Dong) c090a3e9238ba2df07875b4708e908d8dca4ed9b Makefile.am: use APP_DIST_DIR instead of hard-coding dist (Carl Dong) Pull request description: This is the last PR before we reach feature-parity with the Gitian process! Note: I tried using the `Makefile` inside the distsrc to make the dmg instead of manually listing out the commands, but `make` seems to want to re-make a lot of other files which broke the dmg. The workflow looks something like this: 1. `env [ FOO=bar... ] ./contrib/guix/guix-build` (add additional env vars as necessary) 2. Codesigners only: 1. Copy `guix-build-<short-id>/output/x86_64-apple-darwin18/bitcoin-<short-id>-osx-unsigned.tar.gz` and `guix-build-<short-id>/output/x86_64-w64-mingw32/bitcoin-<short-id>-win-unsigned.tar.gz` to signing computer 2. Codesign with `./detached-sig-create.sh` inside the tarball 3. Upload contents of `signature-{osx,win}.tar.gz` to https://github.com/bitcoin-core/bitcoin-detached-sigs (as a new tag) 3. Checkout new tag for `bitcoin-core/bitcoin-detached-sigs` with the detached signatures 4. `env [ FOO=bar... ] DETACHED_SIGS_REPO=<path/to/bitcoin-detached-sigs> ./contrib/guix/guix-codesign` (modify env vars as necessary) 5. Make sure `guix.sigs` is cloned and updated 6. `env GUIX_SIGS_REPO=<path/to/guix.sigs> SIGNER=0x96AB007F1A7ED999=dongcarl ./contrib/guix/guix-attest` (modify env vars as necessary) 7. Commit your new signatures and SHA256SUMS in `guix.sigs` 8. Optionally, after there are multiple signatures in `guix.sigs`: `env GUIX_SIGS_REPO=<path/to/guix.sigs> ./contrib/guix/guix-verify` ACKs for top commit: laanwj: Tested ACK ee883201cf134952284632e9e9ae72bf1c8c792f achow101: ACK ee883201cf134952284632e9e9ae72bf1c8c792f Tree-SHA512: e812a07a5f19f900600c70cb9c717769ef544a6c0c12760b5558b76b6b37df863257f3dbf38b0757e6e06e334470267e94c9f2bdbc27409d6837b1a0bfc6acbc 2021-05-24 15:31:05 +02:00			`"${OSSLSIGNCODE}" sign -certs "${CERTFILE}" -t "${TIMESERVER}" -h sha256 -in "${SRCDIR}/${UNSIGNED}" -out "${WORKDIR}/${UNSIGNED}" "$@"`
Merge #9514: release: Windows signing script 09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields) f642753 release: create a bundle for the new signing script (Cory Fields) 0068361 release: add win detached sig creator and our cert chain (Cory Fields) Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0 2017-03-13 07:37:02 +01:00			`"${OSSLSIGNCODE}" extract-signature -pem -in "${WORKDIR}/${UNSIGNED}" -out "${OUTSUBDIR}/${UNSIGNED}.pem" && rm "${WORKDIR}/${UNSIGNED}"`
			`done`

			`rm -f "${OUT}"`
			`tar -C "${OUTDIR}" -czf "${OUT}" .`
			`rm -rf "${WORKDIR}"`
			`echo "Created ${OUT}"`