From: Jon Turney <jon.turney@dronecode.org.uk>
To: cygwin-apps@cygwin.com
Subject: Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)
Date: Tue, 13 Dec 2016 14:36:00 -0000 [thread overview]
Message-ID: <d297016e-f777-e1f3-19c1-a42469612947@dronecode.org.uk> (raw)
In-Reply-To: <20161212173051.GD3705@calimero.vinschen.de>
On 12/12/2016 17:30, Corinna Vinschen wrote:
> Hi Jon,
>
> On Dec 12 13:29, Jon Turney wrote:
>> As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
>>
>> This is quite straightforward, but unfortunately, requires a non-technical
>> problem to be solved to complete.
>>
>> 1/ A code signing certificate signed by a CA is required.
>
> Where do we get one which is trusted, can be checked publically,
> and doesn't cost any money?
This is a trick question, right? You don't :(
> Who will be keymaster and with whom do we share the private key?
>
>> 2/ The signature should be timestamped, so that it remains vaild after the
>> signing key expires, but I assume you have to use the timestamp service of
>> the CA that signed the key.
This is more saying that we should use osslsigncode's -t option, but I
don't quite know how.
Looking at this again, all the examples I find use a certain CA's
timestamp service, so I think perhaps my assumption is wrong.
> Not necessarily. We can workaround that by getting a new key and
> release a new setup.
>
>> +sign: upx
>> + @if [ -e `which osslsigncode` ]; then \
>> + osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
> ^^^^^^^^^
> $(srcdir)?
>
> This might not be quite right. We need to store the cert in a reasonable
> safe place, certainly not in srcdir (or git).
Yes, this could be done better.
I added these filesname to .gitignore to make sure they didn't end up in
the git repo :)
next prev parent reply other threads:[~2016-12-13 14:36 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-12 13:30 [PATCH setup 0/4] Various setup patches Jon Turney
2016-12-12 13:30 ` [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY) Jon Turney
2016-12-12 17:31 ` Corinna Vinschen
2016-12-12 18:47 ` Achim Gratz
2016-12-13 8:30 ` Corinna Vinschen
2016-12-13 18:33 ` Achim Gratz
2016-12-13 20:01 ` Corinna Vinschen
2016-12-13 14:36 ` Jon Turney [this message]
2016-12-12 13:30 ` [PATCH setup 3/4] Remove unused grammar for dependent package architecture information Jon Turney
2016-12-12 13:30 ` [PATCH setup 1/4] Use English button labels 'Keep', 'Current' and 'Test' Jon Turney
2016-12-12 13:30 ` [PATCH setup 2/4] Fully initialize PROPSHEETPAGE Jon Turney
2016-12-12 17:25 ` [PATCH setup 0/4] Various setup patches Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d297016e-f777-e1f3-19c1-a42469612947@dronecode.org.uk \
--to=jon.turney@dronecode.org.uk \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).