From a3ba9a553acefd567ccb304b8600d2149ffab9aa Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Mon, 29 Jun 2015 15:02:37 -0400 Subject: [PATCH 1/2] gitian: make the windows signing process match OSX --- contrib/gitian-descriptors/gitian-win-signer.yml | 15 ++++++++++----- contrib/gitian-descriptors/gitian-win.yml | 7 +++++-- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/contrib/gitian-descriptors/gitian-win-signer.yml b/contrib/gitian-descriptors/gitian-win-signer.yml index 0bf2ac9b2..2a73050e0 100644 --- a/contrib/gitian-descriptors/gitian-win-signer.yml +++ b/contrib/gitian-descriptors/gitian-win-signer.yml @@ -14,21 +14,26 @@ remotes: files: - "osslsigncode-1.7.1.tar.gz" - "osslsigncode-Backports-to-1.7.1.patch" -- "bitcoin-win32-setup.exe" -- "bitcoin-win64-setup.exe" +- "bitcoin-win-unsigned.tar.gz" script: | BUILD_DIR=`pwd` SIGDIR=${BUILD_DIR}/signature/win + UNSIGNED_DIR=${BUILD_DIR}/unsigned echo "f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d18ae466c9 osslsigncode-1.7.1.tar.gz" | sha256sum -c echo "a8c4e9cafba922f89de0df1f2152e7be286aba73f78505169bc351a7938dd911 osslsigncode-Backports-to-1.7.1.patch" | sha256sum -c + mkdir -p ${UNSIGNED_DIR} + tar -C ${UNSIGNED_DIR} -xf bitcoin-win-unsigned.tar.gz + tar xf osslsigncode-1.7.1.tar.gz cd osslsigncode-1.7.1 patch -p1 < ${BUILD_DIR}/osslsigncode-Backports-to-1.7.1.patch ./configure --without-gsf --without-curl --disable-dependency-tracking make - - ./osslsigncode attach-signature -in ${BUILD_DIR}/bitcoin-win32-setup.exe -out ${OUTDIR}/bitcoin-win32-setup-signed.exe -sigin ${SIGDIR}/bitcoin-win32-setup.exe.pem - ./osslsigncode attach-signature -in ${BUILD_DIR}/bitcoin-win64-setup.exe -out ${OUTDIR}/bitcoin-win64-setup-signed.exe -sigin ${SIGDIR}/bitcoin-win64-setup.exe.pem + find ${UNSIGNED_DIR} -name "*-unsigned.exe" | while read i; do + INFILE="`basename "${i}"`" + OUTFILE="`echo "${INFILE}" | sed s/-unsigned//`" + ./osslsigncode attach-signature -in "${i}" -out "${OUTDIR}/${OUTFILE}" -sigin "${SIGDIR}/${INFILE}.pem" + done diff --git a/contrib/gitian-descriptors/gitian-win.yml b/contrib/gitian-descriptors/gitian-win.yml index 20cfb2985..966820ec5 100644 --- a/contrib/gitian-descriptors/gitian-win.yml +++ b/contrib/gitian-descriptors/gitian-win.yml @@ -84,6 +84,8 @@ script: | pushd temp tar xf ../$SOURCEDIST find bitcoin-* | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ../$SOURCEDIST + mkdir -p $OUTDIR/src + cp ../$SOURCEDIST $OUTDIR/src popd ORIGPATH="$PATH" @@ -109,7 +111,8 @@ script: | find ${DISTNAME} -type f | sort | zip -X@ ${OUTDIR}/${DISTNAME}-${i}.zip cd ../.. done - mkdir -p $OUTDIR/src - mv $SOURCEDIST $OUTDIR/src + cd $OUTDIR + rename 's/-setup\.exe$/-setup-unsigned.exe/' *-setup.exe + find . -name "*-setup-unsigned.exe" | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-win-unsigned.tar.gz mv ${OUTDIR}/${DISTNAME}-x86_64-*.zip ${OUTDIR}/${DISTNAME}-win64.zip mv ${OUTDIR}/${DISTNAME}-i686-*.zip ${OUTDIR}/${DISTNAME}-win32.zip From 6e849b8309558ec83710d86c0f784566996da58b Mon Sep 17 00:00:00 2001 From: Micha Date: Fri, 26 Jun 2015 15:48:41 +0300 Subject: [PATCH 2/2] Ideal release process for Windows detached signing This is an ideal version of what the release process should look like, making it more consistent with the OS X process. Some of the changes described here would need to be made in the descriptors, which is somewhat beyond what I would feel comfortable doing, not really understanding the signature process in depth. [skip ci] --- doc/release-process.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/doc/release-process.md b/doc/release-process.md index 07005bfbb..5ecb9334f 100644 --- a/doc/release-process.md +++ b/doc/release-process.md @@ -25,7 +25,7 @@ Release Process ###update gitian - In order to take advantage of the new caching features in gitian, be sure to update to a recent version (e9741525c or higher is recommended) + In order to take advantage of the new caching features in gitian, be sure to update to a recent version (`e9741525c` or later is recommended) ###perform gitian builds @@ -66,22 +66,21 @@ Release Process ./bin/gsign --signer $SIGNER --release ${VERSION}-linux --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-linux.yml mv build/out/bitcoin-*.tar.gz build/out/src/bitcoin-*.tar.gz ../ ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win.yml - ./bin/gsign --signer $SIGNER --release ${VERSION}-win --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml - mv build/out/bitcoin-*.zip ../ - mv build/out/bitcoin-*-win64-setup.exe inputs/bitcoin-win64-setup.exe - mv build/out/bitcoin-*-win32-setup.exe inputs/bitcoin-win32-setup.exe + ./bin/gsign --signer $SIGNER --release ${VERSION}-win-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win.yml + mv build/out/bitcoin-*-win-unsigned.tar.gz inputs/bitcoin-win-unsigned.tar.gz + mv build/out/bitcoin-*.zip build/out/bitcoin-*.exe ../ ./bin/gbuild --commit bitcoin=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml ./bin/gsign --signer $SIGNER --release ${VERSION}-osx-unsigned --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-osx.yml - mv build/out/bitcoin-*-unsigned.tar.gz inputs/bitcoin-osx-unsigned.tar.gz + mv build/out/bitcoin-*-osx-unsigned.tar.gz inputs/bitcoin-osx-unsigned.tar.gz mv build/out/bitcoin-*.tar.gz build/out/bitcoin-*.dmg ../ popd Build output expected: 1. source tarball (bitcoin-${VERSION}.tar.gz) - 2. linux 32-bit and 64-bit binaries dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz) - 3. windows 32-bit and 64-bit unsigned installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup.exe, bitcoin-${VERSION}-win[32|64].zip) - 4. OSX unsigned installer (bitcoin-${VERSION}-osx-unsigned.dmg) - 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ + 2. linux 32-bit and 64-bit dist tarballs (bitcoin-${VERSION}-linux[32|64].tar.gz) + 3. windows 32-bit and 64-bit unsigned installers and dist zips (bitcoin-${VERSION}-win[32|64]-setup-unsigned.exe, bitcoin-${VERSION}-win[32|64].zip) + 4. OSX unsigned installer and dist tarball (bitcoin-${VERSION}-osx-unsigned.dmg, bitcoin-${VERSION}-osx64.tar.gz) + 5. Gitian signatures (in gitian.sigs/${VERSION}-/(your gitian key)/ ###Next steps: @@ -89,7 +88,7 @@ Commit your signature to gitian.sigs: pushd gitian.sigs git add ${VERSION}-linux/${SIGNER} - git add ${VERSION}-win/${SIGNER} + git add ${VERSION}-win-unsigned/${SIGNER} git add ${VERSION}-osx-unsigned/${SIGNER} git commit -a git push # Assuming you can push to the gitian.sigs tree @@ -112,8 +111,8 @@ Commit your signature to gitian.sigs: pushd ./gitian-builder ./bin/gbuild -i --commit signature=v${VERSION} ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml ./bin/gsign --signer $SIGNER --release ${VERSION}-win-signed --destination ../gitian.sigs/ ../bitcoin/contrib/gitian-descriptors/gitian-win-signer.yml - mv build/out/bitcoin-win64-setup-signed.exe ../bitcoin-${VERSION}-win64-setup.exe - mv build/out/bitcoin-win32-setup-signed.exe ../bitcoin-${VERSION}-win32-setup.exe + mv build/out/bitcoin-*win64-setup.exe ../bitcoin-${VERSION}-win64-setup.exe + mv build/out/bitcoin-*win32-setup.exe ../bitcoin-${VERSION}-win32-setup.exe popd Commit your signature for the signed OSX/Windows binaries: