From db19e52547b68df2a8da8182b81c4e388f5d53ba Mon Sep 17 00:00:00 2001 From: Dan Stillman Date: Tue, 23 Jan 2024 06:59:34 +0000 Subject: [PATCH] Use user-provided `codesign` script for Windows signing The `app/win/codesign` script should take a path to a file and a description (`/d` parameter to `signtool.exe`) and sign the file using whatever process the certificate authority requires. --- .gitignore | 1 + app/build.sh | 44 ++++------------------------------ app/config.sh | 8 +------ app/scripts/check_requirements | 6 ++--- 4 files changed, 10 insertions(+), 49 deletions(-) diff --git a/.gitignore b/.gitignore index 027317facc..3e51b5ea8c 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ node_modules build/ .signatures.json tmp +app/win/codesign diff --git a/app/build.sh b/app/build.sh index 1a0253c6d4..3eda1624ef 100755 --- a/app/build.sh +++ b/app/build.sh @@ -672,13 +672,7 @@ if [ $BUILD_WIN == 1 ]; then # Sign updater if [ $SIGN -eq 1 ]; then - "`cygpath -u \"$SIGNTOOL\"`" \ - sign /n "$SIGNTOOL_CERT_SUBJECT" \ - /d "$SIGNATURE_DESC Updater" \ - /fd SHA256 \ - /tr "$SIGNTOOL_TIMESTAMP_SERVER" \ - /td SHA256 \ - "`cygpath -w \"$APPDIR/updater.exe\"`" + "$CALLDIR/win/codesign" "$APPDIR/updater.exe" "$SIGNATURE_DESC Updater" fi # Copy app files @@ -742,13 +736,7 @@ if [ $BUILD_WIN == 1 ]; then mv "$BUILD_DIR/win_installer/helper.exe" "$APPDIR/uninstall" if [ $SIGN -eq 1 ]; then - "`cygpath -u \"$SIGNTOOL\"`" \ - sign /n "$SIGNTOOL_CERT_SUBJECT" \ - /d "$SIGNATURE_DESC Uninstaller" \ - /fd SHA256 \ - /tr "$SIGNTOOL_TIMESTAMP_SERVER" \ - /td SHA256 \ - "`cygpath -w \"$APPDIR/uninstall/helper.exe\"`" + "$CALLDIR/win/codesign" "$APPDIR/uninstall/helper.exe" "$SIGNATURE_DESC Uninstaller" sleep $SIGNTOOL_DELAY fi @@ -762,15 +750,7 @@ if [ $BUILD_WIN == 1 ]; then fi if [ $SIGN -eq 1 ]; then - # Sign zotero.exe - "`cygpath -u \"$SIGNTOOL\"`" \ - sign /n "$SIGNTOOL_CERT_SUBJECT" \ - /d "$SIGNATURE_DESC" \ - /du "$SIGNATURE_URL" \ - /fd SHA256 \ - /tr "$SIGNTOOL_TIMESTAMP_SERVER" \ - /td SHA256 \ - "`cygpath -w \"$APPDIR/zotero.exe\"`" + "$CALLDIR/win/codesign" "$APPDIR/zotero.exe" "$SIGNATURE_DESC" sleep $SIGNTOOL_DELAY fi @@ -793,14 +773,7 @@ if [ $BUILD_WIN == 1 ]; then mv "$BUILD_DIR/win_installer/setup.exe" "$INSTALLER_STAGE_DIR" if [ $SIGN == 1 ]; then - "`cygpath -u \"$SIGNTOOL\"`" \ - sign /n "$SIGNTOOL_CERT_SUBJECT" \ - /d "$SIGNATURE_DESC Setup" \ - /du "$SIGNATURE_URL" \ - /fd SHA256 \ - /tr "$SIGNTOOL_TIMESTAMP_SERVER" \ - /td SHA256 \ - "`cygpath -w \"$INSTALLER_STAGE_DIR/setup.exe\"`" + "$CALLDIR/win/codesign" "$INSTALLER_STAGE_DIR/setup.exe" "$SIGNATURE_DESC Setup" sleep $SIGNTOOL_DELAY fi @@ -814,14 +787,7 @@ if [ $BUILD_WIN == 1 ]; then # Sign installer .exe if [ $SIGN == 1 ]; then - "`cygpath -u \"$SIGNTOOL\"`" \ - sign /n "$SIGNTOOL_CERT_SUBJECT" \ - /d "$SIGNATURE_DESC Setup" \ - /du "$SIGNATURE_URL" \ - /fd SHA256 \ - /tr "$SIGNTOOL_TIMESTAMP_SERVER" \ - /td SHA256 \ - "`cygpath -w \"$INSTALLER_PATH\"`" + "$CALLDIR/win/codesign" "$INSTALLER_PATH" "$SIGNATURE_DESC Installer" fi chmod 755 "$INSTALLER_PATH" diff --git a/app/config.sh b/app/config.sh index 5066fab79e..c66701031f 100644 --- a/app/config.sh +++ b/app/config.sh @@ -28,13 +28,7 @@ NOTARIZATION_PASSWORD="" # Paths for Windows installer build NSIS_DIR='C:\Program Files (x86)\NSIS\' -# Paths for Windows installer build only necessary for signed binaries -SIGNTOOL='C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe' -SIGNATURE_DESC='Zotero' -SIGNATURE_URL='https://www.zotero.org/' -SIGNTOOL_CERT_SUBJECT="Corporation for Digital Scholarship" -SIGNTOOL_TIMESTAMP_SERVER="http://timestamp.sectigo.com" -SIGNTOOL_DELAY=15 +SIGNTOOL_DELAY=5 # Directory for unpacked binaries STAGE_DIR="$DIR/staging" diff --git a/app/scripts/check_requirements b/app/scripts/check_requirements index c1232a25bf..a42c67548e 100755 --- a/app/scripts/check_requirements +++ b/app/scripts/check_requirements @@ -93,9 +93,9 @@ if [ $platform = "w" ]; then echo -n "Checking for uuidgen: " which uuidgen || { $FAIL_CMD; FAILED=1; } - echo -n "Checking for signtool: " - if [ -x "`cygpath -u \"$SIGNTOOL\"`" ]; then - echo "`cygpath -u \"$SIGNTOOL\"`" + echo -n "Checking for code-signing script: " + if [ -x "$APP_ROOT_DIR/win/codesign" ]; then + echo "$APP_ROOT_DIR/win/codesign" else $FAIL_CMD FAILED=1