gitian: add a gitian-win-signer descriptor#6303
Conversation
This is exactly like the current OSX signing process. osslsigncode has been patched to detach and re-attach Windows signatures. The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature There's a pull-request open upstream for the changes: https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/ This work has been back-ported to the stable 1.7.1 release of osslsigncode, so that a smaller patch can be reviewed.
|
ping @jonasschnelli. Looks like the new setban/listbanned stuff introduced a race somewhere. |
|
@jonasschnelli CNode::ClearBanned() doesn't lock, that looks like a good candidate for the issue here. |
|
@theuni: oh. Thanks for the finding! Will have a look at it. |
|
Nice, utACK, will respin travis after #6307 merged |
|
I probably should've mentioned, this one's much easier to actually test/use than OSX, because it doesn't require crazy toolchain tricks to build. You can easily play with it by building from the attach-signature branch of https://github.com/theuni/osslsigncode/. It's just a typical ./configure && make. Then you can take a release .exe and strip off its sig: re-attach to the unsigned .exe from gitian: then verify that re-signed.exe == bitcoin-0.11.0rc2-win32-setup.exe |
|
Works for me: |
|
Also works for me: |
d08cfc2 gitian: add a gitian-win-signer descriptor (Cory Fields)
This is exactly like the current OSX signing process. osslsigncode has been patched to detach and re-attach Windows signatures. The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature There's a pull-request open upstream for the changes: https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/ This work has been back-ported to the stable 1.7.1 release of osslsigncode, so that a smaller patch can be reviewed. Github-Pull: #6303 Rebased-From: d08cfc2
|
Cherry-picked to 0.11 as b711599 |
There was a problem hiding this comment.
Unless I'm misreading, you end up with the version not part of the setup filenames, don't you?
There was a problem hiding this comment.
erm, kinda. It spits out files with version in the name, but you move it back into inputs without the version (same as osx). It's done that way so that we don't have to constantly update the gitian descriptor.
There was a problem hiding this comment.
Well, yeah, I got that, but the expected output after following this process is that the file is present in inputs, without the version. Now that I look at it, the same discrepancy is present for OS X.
5 participants
This makes Windows signing match the current OSX signing process.
osslsigncode has been patched to detach and re-attach Windows signatures. The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature
There's a pull-request open upstream for the changes:
https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/
This work has been back-ported to the stable 1.7.1 release of osslsigncode, so that a smaller patch can be reviewed. Hopefully we'll get the changes merged upstream for the next release so that we can drop the patches here.
For reference, I've pushed the detached sigs that would've been used for 0.11.0rc2 here: bitcoin-core/bitcoin-detached-sigs@329d2e8
For a test, I created a phony tag in my local bitcoin-detached-sigs repository and re-attached the 0.11.0rc2 .exe's from the detached sigs here: bitcoin-core/bitcoin-detached-sigs@329d2e8. No surprise, they matched our release binaries.
If desired, this should be safe to use for 0.11.0-rc3.