diff --git a/ITG.MakeUtils/signing/sign.mk b/ITG.MakeUtils/signing/sign.mk index 5f02a82..20096a4 100644 --- a/ITG.MakeUtils/signing/sign.mk +++ b/ITG.MakeUtils/signing/sign.mk @@ -6,7 +6,10 @@ include $(ITG_MAKEUTILS_DIR)/common.mk CODE_SIGNING_CERTIFICATE_PASSWORD ?= pfxpassword OPENSSL ?= openssl -CERTUTIL := certutil +SIGNTOOL ?= signtool +SIGNCODE ?= signcode +SIGNCODEPWD ?= signcodepwd +CHKTRUST ?= chktrust $(call exportCodeSigningCertificate,filePath,password) define exportCodeSigningCertificate @@ -103,7 +106,6 @@ encodeCertificatePfx = $(call encodeFile,,$1) # $(call decodeCertificatePfx, PfxFile) decodeCertificatePfx = $(call decodeFile,$1) -SIGNTOOL ?= signtool SIGNWITHSIGNTOOL ?= \ $(SIGNTOOL) \ sign \ @@ -131,40 +133,14 @@ SIGNWITHSIGNTOOL ?= \ # If your want a RFC3161 compliant SHA1 signaure, you can use the following server : # http://timestamp.geotrust.com/tsa -SIGNCODE ?= signcode -SIGNCODEPWD ?= signcode-pwd - SIGNWITHSIGNCODE = \ - set -e; \ - cp -f $1 $$TMP/$(notdir $1); \ - $(SIGNCODEPWD) -m $(CODE_SIGNING_CERTIFICATE_PASSWORD); \ - set +e; \ - for ((a=1; a <= 10; a++)); do \ - $(SIGNCODE) \ - -spc "$(call winPath,$(CODE_SIGNING_CERTIFICATE_SPC))" \ - -v "$(call winPath,$(CODE_SIGNING_CERTIFICATE_PVK))" \ - -j "mssipotf.dll" \ - "$(call winPath,$1)"; \ - EXIT_CODE=$$?; \ - if [[ $$EXIT_CODE -eq 0 ]]; then break; fi; \ - cp -f $$TMP/$(notdir $1) $1; \ - done; \ - set -e; \ - cp -f $1 $$TMP/$(notdir $1); \ - if [[ $$EXIT_CODE -eq 0 ]]; then \ - set +e; \ - for ((a=1; a <= 10; a++)); do \ - $(SIGNCODE) \ - -x \ - -t "http://timestamp.verisign.com/scripts/timstamp.dll" \ - "$(call winPath,$1)"; \ - EXIT_CODE=$$?; \ - if [[ $$EXIT_CODE -eq 0 ]]; then break; fi; \ - cp -f $$TMP/$(notdir $1) $1; \ - done; \ - fi; \ - $(SIGNCODEPWD) -t; \ - exit $$EXIT_CODE; + $(SIGNCODEPWD) \ + -spc "$(call winPath,$(CODE_SIGNING_CERTIFICATE_SPC))" \ + -v "$(call winPath,$(CODE_SIGNING_CERTIFICATE_PVK))" \ + -j "mssipotf.dll" \ + -t "http://timestamp.verisign.com/scripts/timstamp.dll" \ + -p $(CODE_SIGNING_CERTIFICATE_PASSWORD) \ + "$(call winPath,$1)" # $(call SIGN,fileForSigning) SIGN = \ @@ -177,6 +153,12 @@ SIGN = \ SIGNTARGET = $(call SIGN,$@) +# $(call SIGNFILES,files) +SIGNFILES = \ + set -e; \ + $(foreach file,$(1), \ + $(if $(strip $(call SIGN,$(file))),$(call SIGN,$(file));) \ + ) SIGNTESTWITHSIGNCODE = \ $(SIGNTOOL) \ @@ -187,8 +169,11 @@ SIGNTESTWITHSIGNCODE = \ /v \ $1 -CHKTRUST ?= chktrust -SIGNTESTWITHCHKTRUST = ( cd $(dir $1); $(CHKTRUST) -v -q $(notdir $1) ) +SIGNTESTWITHCHKTRUST = \ + ( \ + cd $(dir $1);\ + $(CHKTRUST) -v -q $(notdir $1);\ + ) # $(call SIGNTEST,signedFile) SIGNTEST = \ @@ -206,6 +191,6 @@ SIGNTESTS = \ set -e; \ $(foreach file,$(1), \ $(if $(strip $(call SIGNTEST,$(file))),$(call SIGNTEST,$(file));) \ - ) \ + ) endif diff --git a/ITG.MakeUtils/tests.mk b/ITG.MakeUtils/tests.mk index 29bbd45..b515221 100644 --- a/ITG.MakeUtils/tests.mk +++ b/ITG.MakeUtils/tests.mk @@ -25,17 +25,19 @@ testPlatformWrapper = \ # $(call defineTest,id,targetId,script,dependencies) define defineTest -.PHONY: test.$(1)-$(2) -test.$(1)-$(2): $(4) +.PHONY: test.$(1)$(TEST_$(1)_INDEX)-$(2) +test.$(1)$(TEST_$(1)_INDEX)-$(2): $(4) @echo =============================================================================== @$(call testPlatformWrapper,$$@,$3) @echo =============================================================================== .PHONY: test-$(2) -test-$(2): | test.$(1)-$(2) +test-$(2): | test.$(1)$(TEST_$(1)_INDEX)-$(2) test: | test-$(2) +$(eval export TEST_$(1)_INDEX := $(shell echo $$(($(TEST_$(1)_INDEX)+1)))) + endef endif \ No newline at end of file diff --git a/appveyor.yml b/appveyor.yml index 34e59f1..587b46f 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,6 +1,14 @@ image: WMF 5 version: 1.0.0 (Build {build}) +branches: + except: + - /^modules\/.*$/ + +environment: + CODE_SIGNING_CERTIFICATE_PASSWORD: + secure: +Dn/WhvBx1rVgenyg7x+Bg== + install: - cmd: GitVersion /output buildserver - ps: .\install.ps1 -ErrorAction Stop -InformationAction Continue -Verbose @@ -8,6 +16,12 @@ install: build_script: - cmd: make +before_test: + - cmd: openssl pkcs12 -in sign/certificate/cert.pfx -passin pass:%CODE_SIGNING_CERTIFICATE_PASSWORD% -nokeys -out sign/certificate/cert.cer + - ps: Import-Certificate -FilePath 'sign/certificate/cert.cer' -CertStoreLocation 'Cert:\LocalMachine\TrustedPublisher' -Verbose + - cmd: openssl pkcs12 -in sign/certificate/cert.pfx -passin pass:%CODE_SIGNING_CERTIFICATE_PASSWORD% -nokeys -cacerts -out sign/certificate/CA.cer + - ps: Import-Certificate -FilePath 'sign/certificate/CA.cer' -CertStoreLocation 'Cert:\LocalMachine\AuthRoot' -Verbose + test_script: - cmd: make test --keep-going @@ -20,13 +34,13 @@ deploy: - provider: Environment name: GitHub-Releases description: $(release_description) - artifact: signcode.install + artifact: package on: branch: master #appveyor_repo_tag: true - provider: Environment name: Chocolatey - artifact: signcode.install + artifact: package on: branch: master #appveyor_repo_tag: true diff --git a/chocolatey/signcode.install/Makefile b/chocolatey/signcode.install/Makefile index 362d838..2917e1b 100644 --- a/chocolatey/signcode.install/Makefile +++ b/chocolatey/signcode.install/Makefile @@ -3,6 +3,7 @@ include $(ITG_MAKEUTILS_DIR)/common.mk include $(ITG_MAKEUTILS_DIR)/gitversion.mk include $(ITG_MAKEUTILS_DIR)/chocolatey.mk include $(ITG_MAKEUTILS_DIR)/tests.mk +include $(ITG_MAKEUTILS_DIR)/signing/sign.mk include $(ITG_MAKEUTILS_DIR)/appveyor.mk CHOCO_PACKAGE_NAME = signcode.install @@ -11,8 +12,11 @@ $(eval $(call packChocoWebPackage,PACKAGE_,$(CHOCO_PACKAGE_NAME),\ $(MajorMinorPatch),\ $(PreReleaseLabel),\ $(wildcard $(SOURCESDIR)/$(CHOCO_PACKAGE_NAME)/*.ignore)\ + $(SOURCESDIR)/$(CHOCO_PACKAGE_NAME)/signcodepwd.cmd \ )) +FILES_FOR_SIGNING := $(wildcard tests/*.ttf) + all: package package: $(PACKAGE_TARGETS) $(pushDeploymentArtifact) @@ -22,6 +26,16 @@ $(eval $(call defineTest,install,package,\ $(PACKAGE_TARGETS) \ )) +$(eval $(foreach file,$(FILES_FOR_SIGNING),\ + $(call defineTest,sign_ttf,package,\ + /usr/bin/mkdir -p $(AUXDIR); \ + cp -f $(file) -t $(AUXDIR); \ + $$(call SIGN,$(AUXDIR)/$(notdir $(file))); \ + $$(call SIGNTEST,$(AUXDIR)/$(notdir $(file))),\ + $(file) $(CODE_SIGNING_CERTIFICATE_PVK) $(CODE_SIGNING_CERTIFICATE_SPC) \ + )\ +)) + $(eval $(call defineTest,uninstall,package,\ $(CHOCO) uninstall $(CHOCO_PACKAGE_NAME) --confirm, \ $(PACKAGE_TARGETS) \ diff --git a/chocolatey/signcode.install/sources/signcode.install/chocolateyInstall.ps1 b/chocolatey/signcode.install/sources/signcode.install/chocolateyInstall.ps1 index 1f474ec..9868752 100644 --- a/chocolatey/signcode.install/sources/signcode.install/chocolateyInstall.ps1 +++ b/chocolatey/signcode.install/sources/signcode.install/chocolateyInstall.ps1 @@ -24,3 +24,8 @@ $exitCode = Start-ChocolateyProcessAsAdmin ` "@ ` -noSleep ` ; + +Install-BinFile ` + -name 'signcodepwd' ` + -path ( Join-Path -Path $toolsDir -ChildPath 'signcodepwd.cmd' ) ` +; diff --git a/chocolatey/signcode.install/sources/signcode.install/chocolateyUninstall.ps1 b/chocolatey/signcode.install/sources/signcode.install/chocolateyUninstall.ps1 index 6eaf3fa..dfb6b43 100644 --- a/chocolatey/signcode.install/sources/signcode.install/chocolateyUninstall.ps1 +++ b/chocolatey/signcode.install/sources/signcode.install/chocolateyUninstall.ps1 @@ -12,6 +12,11 @@ $exitCode = Start-ChocolateyProcessAsAdmin ` -noSleep ` ; +Uninstall-BinFile ` + -name 'signcodepwd' ` + -path ( Join-Path -Path $toolsDir -ChildPath 'signcodepwd.cmd' ) ` +; + $packageArgs = @{ packageName = $packageName; zipFileName = 'Dsig.EXE'; diff --git a/chocolatey/signcode.install/sources/signcode.install/signcodepwd.cmd b/chocolatey/signcode.install/sources/signcode.install/signcodepwd.cmd new file mode 100644 index 0000000..f0a34eb --- /dev/null +++ b/chocolatey/signcode.install/sources/signcode.install/signcodepwd.cmd @@ -0,0 +1,106 @@ +@echo off +setlocal enableextensions enabledelayedexpansion +set SIGNCODEPWD=signcode-pwd.exe +set SIGNCODE=signcode.exe +set CODE_TIMESTAMP_URL=http://timestamp.verisign.com/scripts/timstamp.dll +set CODE_SIGNING_DLL=mssipotf.dll +set SIGNCODEPASSWORD=%CODE_SIGNING_CERTIFICATE_PASSWORD% + +:parseargs +if "%~1"=="" goto :endparseargs +if "%~1"=="-h" ( +:help + echo Parameters -spc, -v, -t, -j, -p and filename for signing expected. + exit /b -1 +) +if "%~1"=="/?" goto :help +if "%~1"=="-?" goto :help +if "%~1"=="-help" goto :help +if "%~1"=="--help" goto :help +if "%~1"=="-spc" ( + set CODE_SIGNING_CERTIFICATE_SPC=%~2 + shift + shift + goto :parseargs +) +if "%~1"=="-v" ( + set CODE_SIGNING_CERTIFICATE_PVK=%~2 + shift + shift + goto :parseargs +) +if "%~1"=="-t" ( + set CODE_TIMESTAMP_URL=%~2 + shift + shift + goto :parseargs +) +if "%~1"=="-j" ( + set CODE_SIGNING_DLL=%~2 + shift + shift + goto :parseargs +) +if "%~1"=="-p" ( + set SIGNCODEPASSWORD=%~2 + shift + shift + goto :parseargs +) +set FILEFORSIGNING=%~1 +shift +goto :parseargs +:endparseargs + +if "%CODE_SIGNING_CERTIFICATE_SPC%"=="" goto :help +if "%CODE_SIGNING_CERTIFICATE_PVK%"=="" goto :help +if "%CODE_TIMESTAMP_URL%"=="" goto :help +if "%CODE_SIGNING_DLL%"=="" goto :help +if "%SIGNCODEPASSWORD%"=="" goto :help +if "%FILEFORSIGNING%"=="" goto :help + +for %%A in ("%FILEFORSIGNING%") do set TMPFILE="%TMP%\%%~nxA" + +copy /Y "%FILEFORSIGNING%" "%TMPFILE%" +@echo on +"%SIGNCODEPWD%" -m %SIGNCODEPASSWORD% +@echo off +set /a i=10 +:signingloopbegin + @echo on + "%SIGNCODE%" ^ + -spc "%CODE_SIGNING_CERTIFICATE_SPC%" ^ + -v "%CODE_SIGNING_CERTIFICATE_PVK%" ^ + -j "%CODE_SIGNING_DLL%" ^ + "%FILEFORSIGNING%" + @set exitcode=%errorlevel% + @echo off + if %exitcode%==0 goto :beforetimestamp + copy /Y "%TMPFILE%" "%FILEFORSIGNING%" + set /a i-=1 + if %i% gtr 0 goto :signingloopbegin +:signingloopend +goto :beforeexit + +:beforetimestamp +copy /Y "%FILEFORSIGNING%" "%TMPFILE%" +set /a i=10 +:timestamploopbegin + @echo on + "%SIGNCODE%" ^ + -x ^ + -t "%CODE_TIMESTAMP_URL%" ^ + "%FILEFORSIGNING%" + @set exitcode=%errorlevel% + @echo off + if %exitcode%==0 goto :timestamploopend + copy /Y "%TMPFILE%" "%FILEFORSIGNING%" + set /a i-=1 + if %i% gtr 0 goto :timestamploopbegin +:timestamploopend + +:beforeexit +@echo on +"%SIGNCODEPWD%" -t +@REM @del /F /Q "%TMPFILE%" +@exit /b %exitcode% diff --git a/chocolatey/signcode.install/tests/GOST2.304-81TypeA-Regular.ttf b/chocolatey/signcode.install/tests/GOST2.304-81TypeA-Regular.ttf new file mode 100644 index 0000000..a2efd77 Binary files /dev/null and b/chocolatey/signcode.install/tests/GOST2.304-81TypeA-Regular.ttf differ diff --git a/readme.md b/readme.md index a2b3da7..e2fa021 100644 --- a/readme.md +++ b/readme.md @@ -1,4 +1,6 @@ -Пакет chocolatey для установки средств подписи шрифтов +[![Build status](https://ci.appveyor.com/api/projects/status/47ga775dxwnopruv/branch/master?svg=true)](https://ci.appveyor.com/project/sergey-s-betke/signcode) + +Пакет chocolatey для установки средств подписи шрифтов ====================================================== Репозиторий содержит проект для сборки пакета signcode.install для chocolatey. @@ -9,6 +11,7 @@ - [signcode][] - утилиту от Microsoft с библиотекой подписи шрифтов - [signcode-pwd][] - утилиту от Stephan Brenner для передачи signcode пароля к сертификату в пакетном режиме +- signcodepwd - см. далее Пакет доступен [в репозитории chocolatey](https://chocolatey.org/packages/signcode.install). @@ -20,7 +23,7 @@ - `signcode.exe` - `signcode-pwd.exe` -- `signcode.bat` +- `signcodepwd.exe` Последний пакетный файл в дополнение к параметрам signcode.exe позволяет указать пароль к сертификату в форме `-p password`.