Use user-provided codesign script for Windows signing

The `app/win/codesign` script should take a path to a file and a
description (`/d` parameter to `signtool.exe`) and sign the file using
whatever process the certificate authority requires.
This commit is contained in:
Dan Stillman 2024-01-23 06:59:34 +00:00
parent 38dc364f57
commit db19e52547
4 changed files with 10 additions and 49 deletions

1
.gitignore vendored
View file

@ -3,3 +3,4 @@ node_modules
build/
.signatures.json
tmp
app/win/codesign

View file

@ -672,13 +672,7 @@ if [ $BUILD_WIN == 1 ]; then
# Sign updater
if [ $SIGN -eq 1 ]; then
"`cygpath -u \"$SIGNTOOL\"`" \
sign /n "$SIGNTOOL_CERT_SUBJECT" \
/d "$SIGNATURE_DESC Updater" \
/fd SHA256 \
/tr "$SIGNTOOL_TIMESTAMP_SERVER" \
/td SHA256 \
"`cygpath -w \"$APPDIR/updater.exe\"`"
"$CALLDIR/win/codesign" "$APPDIR/updater.exe" "$SIGNATURE_DESC Updater"
fi
# Copy app files
@ -742,13 +736,7 @@ if [ $BUILD_WIN == 1 ]; then
mv "$BUILD_DIR/win_installer/helper.exe" "$APPDIR/uninstall"
if [ $SIGN -eq 1 ]; then
"`cygpath -u \"$SIGNTOOL\"`" \
sign /n "$SIGNTOOL_CERT_SUBJECT" \
/d "$SIGNATURE_DESC Uninstaller" \
/fd SHA256 \
/tr "$SIGNTOOL_TIMESTAMP_SERVER" \
/td SHA256 \
"`cygpath -w \"$APPDIR/uninstall/helper.exe\"`"
"$CALLDIR/win/codesign" "$APPDIR/uninstall/helper.exe" "$SIGNATURE_DESC Uninstaller"
sleep $SIGNTOOL_DELAY
fi
@ -762,15 +750,7 @@ if [ $BUILD_WIN == 1 ]; then
fi
if [ $SIGN -eq 1 ]; then
# Sign zotero.exe
"`cygpath -u \"$SIGNTOOL\"`" \
sign /n "$SIGNTOOL_CERT_SUBJECT" \
/d "$SIGNATURE_DESC" \
/du "$SIGNATURE_URL" \
/fd SHA256 \
/tr "$SIGNTOOL_TIMESTAMP_SERVER" \
/td SHA256 \
"`cygpath -w \"$APPDIR/zotero.exe\"`"
"$CALLDIR/win/codesign" "$APPDIR/zotero.exe" "$SIGNATURE_DESC"
sleep $SIGNTOOL_DELAY
fi
@ -793,14 +773,7 @@ if [ $BUILD_WIN == 1 ]; then
mv "$BUILD_DIR/win_installer/setup.exe" "$INSTALLER_STAGE_DIR"
if [ $SIGN == 1 ]; then
"`cygpath -u \"$SIGNTOOL\"`" \
sign /n "$SIGNTOOL_CERT_SUBJECT" \
/d "$SIGNATURE_DESC Setup" \
/du "$SIGNATURE_URL" \
/fd SHA256 \
/tr "$SIGNTOOL_TIMESTAMP_SERVER" \
/td SHA256 \
"`cygpath -w \"$INSTALLER_STAGE_DIR/setup.exe\"`"
"$CALLDIR/win/codesign" "$INSTALLER_STAGE_DIR/setup.exe" "$SIGNATURE_DESC Setup"
sleep $SIGNTOOL_DELAY
fi
@ -814,14 +787,7 @@ if [ $BUILD_WIN == 1 ]; then
# Sign installer .exe
if [ $SIGN == 1 ]; then
"`cygpath -u \"$SIGNTOOL\"`" \
sign /n "$SIGNTOOL_CERT_SUBJECT" \
/d "$SIGNATURE_DESC Setup" \
/du "$SIGNATURE_URL" \
/fd SHA256 \
/tr "$SIGNTOOL_TIMESTAMP_SERVER" \
/td SHA256 \
"`cygpath -w \"$INSTALLER_PATH\"`"
"$CALLDIR/win/codesign" "$INSTALLER_PATH" "$SIGNATURE_DESC Installer"
fi
chmod 755 "$INSTALLER_PATH"

View file

@ -28,13 +28,7 @@ NOTARIZATION_PASSWORD=""
# Paths for Windows installer build
NSIS_DIR='C:\Program Files (x86)\NSIS\'
# Paths for Windows installer build only necessary for signed binaries
SIGNTOOL='C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe'
SIGNATURE_DESC='Zotero'
SIGNATURE_URL='https://www.zotero.org/'
SIGNTOOL_CERT_SUBJECT="Corporation for Digital Scholarship"
SIGNTOOL_TIMESTAMP_SERVER="http://timestamp.sectigo.com"
SIGNTOOL_DELAY=15
SIGNTOOL_DELAY=5
# Directory for unpacked binaries
STAGE_DIR="$DIR/staging"

View file

@ -93,9 +93,9 @@ if [ $platform = "w" ]; then
echo -n "Checking for uuidgen: "
which uuidgen || { $FAIL_CMD; FAILED=1; }
echo -n "Checking for signtool: "
if [ -x "`cygpath -u \"$SIGNTOOL\"`" ]; then
echo "`cygpath -u \"$SIGNTOOL\"`"
echo -n "Checking for code-signing script: "
if [ -x "$APP_ROOT_DIR/win/codesign" ]; then
echo "$APP_ROOT_DIR/win/codesign"
else
$FAIL_CMD
FAILED=1