win32: Sign code when building it

diff --git a/bacula/src/qt-console/make-win32 b/bacula/src/qt-console/make-win32
index 3e3e26995b0f56282ab17149764acc56cabdff5d..41056d980b2f8e1f8aa45d9ae32acb53452c09cc 100755 (executable)
--- a/bacula/src/qt-console/make-win32
+++ b/bacula/src/qt-console/make-win32
@@ -37,6 +37,7 @@ prepare_regw_build()
       echo "Make Windows RegistrationWizard"
       make -j3 -f Makefile.mingw${version} $2
       if test -f RegistrationWizard.exe; then
+          ../../win32/sign-binaries RegistrationWizard.exe
           cp -f RegistrationWizard.exe ../../win32/release${version}
       fi
       rm -f RegistrationWizard.exe
@@ -90,12 +91,13 @@ prepare_bat_build ()
       echo "Make Windows bat"
       make -j3 -f Makefile.mingw${version} $2
       if test -f bat.exe; then
-                cp -f bat.exe ../win32/release${version}
+          cp -f bat.exe ../win32/release${version}
       elif test -f release/bat.exe; then
          cp -f release/bat.exe ../win32/release${version}
       else
          cp -f debug/bat.exe ../win32/release${version}
       fi
+      ../win32/sign-binaries ../win32/release${version}/bat.exe
       rm -f bat.exe release/bat.exe debug/bat.exe
    fi
 }
@@ -121,6 +123,7 @@ prepare_tray_monitor_build ()
     else
        cp -f debug/bacula-tray-monitor.exe ../../win32/release${version}
     fi
+    ../../win32/sign-binaries ../../win32/release${version}/bacula-tray-monitor.exe
     rm -f bacula-tray-monitor.exe release/bacula-tray-monitor.exe debug/bacula-tray-monitor.exe
     cd ..
 }

diff --git a/bacula/src/win32/Makefile.rules b/bacula/src/win32/Makefile.rules
index b41d7b5b81dda8ed4d6dcfc961aaa698e65a8430..13a08760814f5a53970d97d16e6f83388e1a5883 100644 (file)
--- a/bacula/src/win32/Makefile.rules
+++ b/bacula/src/win32/Makefile.rules
@@ -33,12 +33,14 @@ define link_conapp
        @echo "Linking $@"
        $(call checkdir,$@)
        $(ECHO_CMD)$(CXX) $(CFLAGS) $(LDFLAGS) -mconsole $^ $(1) -o $@
+        $(BUILDDIR)/sign-binaries $@
 endef
 
 define link_winapp
        @echo "Linking $@"
        $(call checkdir,$@)
        $(ECHO_CMD)$(CXX) $(CFLAGS) $(LDFLAGS) -mwindows $^ $(1) -o $@
+        $(BUILDDIR)/sign-binaries $@
 endef
 
 define makedbg

diff --git a/bacula/src/win32/lib/Makefile b/bacula/src/win32/lib/Makefile
index 283a257ab7e167d837c9dbbaf57443c4854ba75a..1a90863b84397e8f04b56605c482d2af1349331a 100644 (file)
--- a/bacula/src/win32/lib/Makefile
+++ b/bacula/src/win32/lib/Makefile
@@ -175,6 +175,7 @@ $(BINDIR)/bacula.dll: $(DLL_OBJS) bacula$(WIN_VERSION).def
        @echo "Linking $@"
        $(call checkdir,$@)
        $(ECHO_CMD)$(CXX) $(LDFLAGS) -mdll -mwindows -Wl,--out-implib,$(OBJDIR)/bacula.a $^ $(LIBS_DLL) -o $@
+       $(BUILDDIR)/sign-binaries $@
 
 bacula$(WIN_VERSION).def: $(DLL_OBJS)
        ./make_def$(WIN_VERSION) $(DLL_OBJS) >bacula$(WIN_VERSION).def.new && \

diff --git a/bacula/src/win32/sign-binaries b/bacula/src/win32/sign-binaries
new file mode 100755 (executable)
index 0000000..b2d711b
--- /dev/null
+++ b/bacula/src/win32/sign-binaries
@@ -0,0 +1,36 @@
+#!/bin/sh
+# Copyright (C) 2000-2020 Kern Sibbald
+# License: BSD 2-Clause; see file LICENSE-FOSS
+#
+# Sign binaries if possible with sign_exe script
+
+DIR=$1
+
+if [ "$DIR" = "" ]; then
+    echo "Usage: $0 <directory> | <file> <file> <file>"
+    exit 1
+fi
+
+if ! which sign_exe > /dev/null 2> /dev/null
+then
+   exit 0
+fi
+
+RET=0
+
+if [ -d "$DIR" ]; then
+    for F in "$DIR"/*.exe "$DIR"/*.dll
+    do
+        sign_exe "$F"
+        RET=`expr $RET + $?`
+    done
+
+else
+    for F in $*
+    do
+        sign_exe "$F"
+        RET=`expr $RET + $?`
+    done
+fi
+
+exit $RET

diff --git a/bacula/src/win32/sign-check b/bacula/src/win32/sign-check
new file mode 100755 (executable)
index 0000000..1e58685
--- /dev/null
+++ b/bacula/src/win32/sign-check
@@ -0,0 +1,53 @@
+#!/bin/sh
+# Copyright (C) 2000-2020 Kern Sibbald
+# License: BSD 2-Clause; see file LICENSE-FOSS
+#
+# Check if binaries are signed
+
+DIR=$1
+
+if [ "$DIR" = "" ]; then
+    echo "Usage: $0 <directory> | <file> <file> <file>"
+    exit 1
+fi
+
+if ! which osslsigncode > /dev/null 2> /dev/null
+then
+   echo "INFO: Not checking signature"
+   exit 0
+fi
+
+# Custom program to sign an executable
+if ! which sign_exe > /dev/null 2> /dev/null
+then
+   echo "INFO: Not checking signature"
+   exit 0
+fi
+
+RET=0
+
+if [ -d "$DIR" ]; then
+    for F in "$DIR"/*.exe "$DIR"/*.dll
+    do
+        osslsigncode verify "$F" | grep "Signature verification: ok"
+        if [ $? != 0 ]; then
+            echo "Signature verification: failed for $F"
+            RET=1
+        fi
+    done
+
+else
+    for F in $*
+    do
+        osslsigncode verify "$F" | grep "Signature verification: ok"
+        if [ $? != 0 ]; then
+            echo "Signature verification: failed for $F"
+            RET=1
+        fi
+    done
+fi
+
+if [ $RET != 0 ]; then
+    echo "ERROR: Some files are not signed correctly"
+fi
+exit $RET

diff --git a/bacula/src/win32/win32_installer/Makefile b/bacula/src/win32/win32_installer/Makefile
index 5b8d09708c1ace955d34a6ca0ac9987505bb4ed9..b83bb3e242d4816a6362c06d2636e307cbaa3c17 100644 (file)
--- a/bacula/src/win32/win32_installer/Makefile
+++ b/bacula/src/win32/win32_installer/Makefile
@@ -11,6 +11,8 @@
 
 include ../Makefile.inc
 
+PWD   := $(shell pwd)
+
 VERSION := $(shell sed -ne 's/^.define[ \t]VERSION[ \t][ \t]*"\(.*\)"/\1/p' < ../../version.h)
 RELEASE ?= $(shell awk '/define RELEASE [0-9]+/ { print $$3 }' ../../version.h)
 
@@ -174,5 +176,7 @@ $(foreach file,$(addprefix $(MAINDIR)/, $(LICENSE_FILES)),$(eval $(call Copy_Lic
 $(INSTALL_EXE): winbacula.nsi $(addprefix release32/,$(BACULA_BINARIES) $(SCRIPT_FILES) $(CAT_FILES) $(DEPKGS_BINARIES) $(NONGCC_BINARIES) $(NONGCC_LIBRARIES) $(MINGW_BINARIES) $(SSL_FILES) $(DIRD_FILES) $(LICENSE_FILES) )
        echo "makensis -V3 $(DEFINES) winbacula.nsi"
        makensis -V3 $(DEFINES) winbacula.nsi
+       ../sign-binaries ../release32/bacula-*$(VERSION).exe
+
 
 include $(BUILDDIR)/Makefile.rules

diff --git a/bacula/src/win32/win64_installer/Makefile b/bacula/src/win32/win64_installer/Makefile
index 98008b9097824d5ad1c02f6d64d6a02319e76416..a1d728e2c8d6be308d3cc31f65e514e4cd3917ba 100644 (file)
--- a/bacula/src/win32/win64_installer/Makefile
+++ b/bacula/src/win32/win64_installer/Makefile
@@ -8,6 +8,8 @@
 
 include ../Makefile.inc
 
+PWD   := $(shell pwd)
+
 VERSION := $(shell sed -ne 's/^.define[ \t]VERSION[ \t][ \t]*"\(.*\)"/\1/p' < ../../version.h)
 RELEASE ?= $(shell awk '/define RELEASE [0-9]+/ { print $$3 }' ../../version.h)
 
@@ -203,5 +205,6 @@ $(foreach file,$(addprefix $(MAINDIR)/, $(LICENSE_FILES)),$(eval $(call Copy_Lic
 $(INSTALL_EXE): winbacula.nsi $(addprefix release64/,$(BACULA_BINARIES) $(DEPKGS_BINARIES) $(SSL_FILES) $(LICENSE_FILES))
        makensis -V3 $(DEFINES) winbacula.nsi
        echo " "
+       ../sign-binaries ../release64/bacula-*$(VERSION).exe
 
 include $(BUILDDIR)/Makefile.rules