This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH setup 4/4] Codesign setup.exe (DO NOT APPLY)


On 12/12/2016 17:30, Corinna Vinschen wrote:
Hi Jon,

On Dec 12 13:29, Jon Turney wrote:
As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html

This is quite straightforward, but unfortunately, requires a non-technical
problem to be solved to complete.

1/ A code signing certificate signed by a CA is required.

Where do we get one which is trusted, can be checked publically,
and doesn't cost any money?

This is a trick question,  right?  You don't :(

Who will be keymaster and with whom do we share the private key?

2/ The signature should be timestamped, so that it remains vaild after the
signing key expires, but I assume you have to use the timestamp service of
the CA that signed the key.

This is more saying that we should use osslsigncode's -t option, but I don't quite know how.

Looking at this again, all the examples I find use a certain CA's timestamp service, so I think perhaps my assumption is wrong.

Not necessarily.  We can workaround that by getting a new key and
release a new setup.

+sign:	upx
+	@if [ -e `which osslsigncode` ]; then \
+		osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key -n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out setup-signed$(EXEEXT) ;\
                                         ^^^^^^^^^
                                         $(srcdir)?

This might not be quite right.  We need to store the cert in a reasonable
safe place, certainly not in srcdir (or git).

Yes, this could be done better.

I added these filesname to .gitignore to make sure they didn't end up in the git repo :)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]