aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCory Fields <cory-nospam-@coryfields.com>2015-06-18 18:17:36 -0400
committerCory Fields <cory-nospam-@coryfields.com>2015-06-18 18:17:36 -0400
commitd08cfc2bd752fdb1e8547f957f1c38275540df7a (patch)
tree53f0ad6cdc0fe43809627b4d8d6250a108e4e770
parent40400d53d3a0f5a11907fba610adabbe0975c9db (diff)
gitian: add a gitian-win-signer descriptor
This is exactly like the current OSX signing process. osslsigncode has been patched to detach and re-attach Windows signatures. The changes can be seen here: https://github.com/theuni/osslsigncode/commits/attach-signature There's a pull-request open upstream for the changes: https://sourceforge.net/p/osslsigncode/osslsigncode/merge-requests/3/ This work has been back-ported to the stable 1.7.1 release of osslsigncode, so that a smaller patch can be reviewed.
-rw-r--r--contrib/gitian-descriptors/gitian-win-signer.yml34
-rw-r--r--doc/release-process.md32
2 files changed, 54 insertions, 12 deletions
diff --git a/contrib/gitian-descriptors/gitian-win-signer.yml b/contrib/gitian-descriptors/gitian-win-signer.yml
new file mode 100644
index 0000000000..0bf2ac9b2f
--- /dev/null
+++ b/contrib/gitian-descriptors/gitian-win-signer.yml
@@ -0,0 +1,34 @@
+---
+name: "bitcoin-win-signer"
+suites:
+- "precise"
+architectures:
+- "amd64"
+packages:
+- "libssl-dev"
+- "autoconf"
+reference_datetime: "2015-06-01 00:00:00"
+remotes:
+- "url": "https://github.com/bitcoin/bitcoin-detached-sigs.git"
+ "dir": "signature"
+files:
+- "osslsigncode-1.7.1.tar.gz"
+- "osslsigncode-Backports-to-1.7.1.patch"
+- "bitcoin-win32-setup.exe"
+- "bitcoin-win64-setup.exe"
+script: |
+ BUILD_DIR=`pwd`
+ SIGDIR=${BUILD_DIR}/signature/win
+
+ echo "f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d18ae466c9 osslsigncode-1.7.1.tar.gz" | sha256sum -c
+ echo "a8c4e9cafba922f89de0df1f2152e7be286aba73f78505169bc351a7938dd911 osslsigncode-Backports-to-1.7.1.patch" | sha256sum -c
+
+ tar xf osslsigncode-1.7.1.tar.gz
+ cd osslsigncode-1.7.1
+ patch -p1 < ${BUILD_DIR}/osslsigncode-Backports-to-1.7.1.patch
+
+ ./configure --without-gsf --without-curl --disable-dependency-tracking
+ make
+
+ ./osslsigncode attach-signature -in ${BUILD_DIR}/bitcoin-win32-setup.exe -out ${OUTDIR}/bitcoin-win32-setup-signed.exe -sigin ${SIGDIR}/bitcoin-win32-setup.exe.pem
+ ./osslsigncode attach-signature -in ${BUILD_DIR}/bitcoin-win64-setup.exe -out ${OUTDIR}/bitcoin-win64-setup-signed.exe -sigin ${SIGDIR}/bitcoin-win64-setup.exe.pem
diff --git a/doc/release-process.md b/doc/release-process.md
index 45c44640ca..07005bfbb9 100644
--- a/doc/release-process.md
+++ b/doc/release-process.md
@@ -41,6 +41,8 @@ Release Process
###fetch and build inputs: (first time, or when dependency versions change)
mkdir -p inputs
+ wget -P inputs https://bitcoincore.org/cfields/osslsigncode-Backports-to-1.7.1.patch
+ wget -P inputs http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz
Register and download the Apple SDK: (see OSX Readme for details)
@@ -65,7 +67,9 @@ Release Process
mv build/out/bitcoin-*.tar.gz build/out/src/bitcoin-*.tar.gz ../
./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml
- mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../
+ mv build/out/bitcoin-*.zip ../
+ mv build/out/bitcoin-*-win64-setup.exe inputs/bitcoin-win64-setup.exe
+ mv build/out/bitcoin-*-win32-setup.exe inputs/bitcoin-win32-setup.exe
./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml
mv build/out/bitcoin-*-unsigned.tar.gz inputs/bitcoin-osx-unsigned.tar.gz
@@ -75,7 +79,7 @@ Release Process
1. source tarball (bitcoin-${VERSION}.tar.gz)
2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz)
- 3. windows 32-bit and 64-bit installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
+ 3. windows 32-bit and 64-bit unsigned installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip)
4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg)
5. Gitian signatures (in gitian.sigs/${VERSION}-<linux|win|osx-unsigned>/(your gitian key)/
@@ -91,9 +95,9 @@ Commit your signature to gitian.sigs:
git push # Assuming you can push to the gitian.sigs tree
popd
- Wait for OSX detached signature:
- Once the OSX build has 3 matching signatures, it will be signed with the Apple App-Store key.
- A detached signature will then be committed to the bitcoin-detached-sigs repository, which can be combined with the unsigned app to create a signed binary.
+ Wait for Windows/OSX detached signatures:
+ Once the Windows/OSX builds each have 3 matching signatures, they will be signed with their respective release keys.
+ Detached signatures will then be committed to the bitcoin-detached-sigs repository, which can be combined with the unsigned apps to create signed binaries.
Create the signed OSX binary:
@@ -103,10 +107,20 @@ Commit your signature to gitian.sigs:
mv build/out/bitcoin-osx-signed.dmg ../bitcoin-${VERSION}-osx.dmg
popd
-Commit your signature for the signed OSX binary:
+ Create the signed Windows binaries:
+
+ pushd ./gitian-builder
+ ./bin/gbuild -i --commit signature=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml
+ ./bin/gsign --signer $SIGNER --release ${VERSION}-win-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml
+ mv build/out/bitcoin-win64-setup-signed.exe ../bitcoin-${VERSION}-win64-setup.exe
+ mv build/out/bitcoin-win32-setup-signed.exe ../bitcoin-${VERSION}-win32-setup.exe
+ popd
+
+Commit your signature for the signed OSX/Windows binaries:
pushd gitian.sigs
git add ${VERSION}-osx-signed/${SIGNER}
+ git add ${VERSION}-win-signed/${SIGNER}
git commit -a
git push # Assuming you can push to the gitian.sigs tree
popd
@@ -115,12 +129,6 @@ Commit your signature for the signed OSX binary:
### After 3 or more people have gitian-built and their results match:
-- Perform code-signing.
-
- - Code-sign Windows -setup.exe (in a Windows virtual machine using signtool)
-
- Note: only Gavin has the code-signing keys currently.
-
- Create `SHA256SUMS.asc` for the builds, and GPG-sign it:
```bash
sha256sum * > SHA256SUMS