From: Eric Bollengier Date: Thu, 26 Nov 2020 16:43:59 +0000 (+0100) Subject: win32: Sign code when building it X-Git-Tag: Release-11.3.2~830 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f407f252afd19b3f745484a49381f130f072c22d;p=thirdparty%2Fbacula.git win32: Sign code when building it --- diff --git a/bacula/src/qt-console/make-win32 b/bacula/src/qt-console/make-win32 index 3e3e26995..41056d980 100755 --- a/bacula/src/qt-console/make-win32 +++ b/bacula/src/qt-console/make-win32 @@ -37,6 +37,7 @@ prepare_regw_build() echo "Make Windows RegistrationWizard" make -j3 -f Makefile.mingw${version} $2 if test -f RegistrationWizard.exe; then + ../../win32/sign-binaries RegistrationWizard.exe cp -f RegistrationWizard.exe ../../win32/release${version} fi rm -f RegistrationWizard.exe @@ -90,12 +91,13 @@ prepare_bat_build () echo "Make Windows bat" make -j3 -f Makefile.mingw${version} $2 if test -f bat.exe; then - cp -f bat.exe ../win32/release${version} + cp -f bat.exe ../win32/release${version} elif test -f release/bat.exe; then cp -f release/bat.exe ../win32/release${version} else cp -f debug/bat.exe ../win32/release${version} fi + ../win32/sign-binaries ../win32/release${version}/bat.exe rm -f bat.exe release/bat.exe debug/bat.exe fi } @@ -121,6 +123,7 @@ prepare_tray_monitor_build () else cp -f debug/bacula-tray-monitor.exe ../../win32/release${version} fi + ../../win32/sign-binaries ../../win32/release${version}/bacula-tray-monitor.exe rm -f bacula-tray-monitor.exe release/bacula-tray-monitor.exe debug/bacula-tray-monitor.exe cd .. } diff --git a/bacula/src/win32/Makefile.rules b/bacula/src/win32/Makefile.rules index b41d7b5b8..13a087608 100644 --- a/bacula/src/win32/Makefile.rules +++ b/bacula/src/win32/Makefile.rules @@ -33,12 +33,14 @@ define link_conapp @echo "Linking $@" $(call checkdir,$@) $(ECHO_CMD)$(CXX) $(CFLAGS) $(LDFLAGS) -mconsole $^ $(1) -o $@ + $(BUILDDIR)/sign-binaries $@ endef define link_winapp @echo "Linking $@" $(call checkdir,$@) $(ECHO_CMD)$(CXX) $(CFLAGS) $(LDFLAGS) -mwindows $^ $(1) -o $@ + $(BUILDDIR)/sign-binaries $@ endef define makedbg diff --git a/bacula/src/win32/lib/Makefile b/bacula/src/win32/lib/Makefile index 283a257ab..1a90863b8 100644 --- a/bacula/src/win32/lib/Makefile +++ b/bacula/src/win32/lib/Makefile @@ -175,6 +175,7 @@ $(BINDIR)/bacula.dll: $(DLL_OBJS) bacula$(WIN_VERSION).def @echo "Linking $@" $(call checkdir,$@) $(ECHO_CMD)$(CXX) $(LDFLAGS) -mdll -mwindows -Wl,--out-implib,$(OBJDIR)/bacula.a $^ $(LIBS_DLL) -o $@ + $(BUILDDIR)/sign-binaries $@ bacula$(WIN_VERSION).def: $(DLL_OBJS) ./make_def$(WIN_VERSION) $(DLL_OBJS) >bacula$(WIN_VERSION).def.new && \ diff --git a/bacula/src/win32/sign-binaries b/bacula/src/win32/sign-binaries new file mode 100755 index 000000000..b2d711b46 --- /dev/null +++ b/bacula/src/win32/sign-binaries @@ -0,0 +1,36 @@ +#!/bin/sh +# Copyright (C) 2000-2020 Kern Sibbald +# License: BSD 2-Clause; see file LICENSE-FOSS +# +# Sign binaries if possible with sign_exe script + +DIR=$1 + +if [ "$DIR" = "" ]; then + echo "Usage: $0 | " + exit 1 +fi + +if ! which sign_exe > /dev/null 2> /dev/null +then + exit 0 +fi + +RET=0 + +if [ -d "$DIR" ]; then + for F in "$DIR"/*.exe "$DIR"/*.dll + do + sign_exe "$F" + RET=`expr $RET + $?` + done + +else + for F in $* + do + sign_exe "$F" + RET=`expr $RET + $?` + done +fi + +exit $RET diff --git a/bacula/src/win32/sign-check b/bacula/src/win32/sign-check new file mode 100755 index 000000000..1e586851b --- /dev/null +++ b/bacula/src/win32/sign-check @@ -0,0 +1,53 @@ +#!/bin/sh +# Copyright (C) 2000-2020 Kern Sibbald +# License: BSD 2-Clause; see file LICENSE-FOSS +# +# Check if binaries are signed + +DIR=$1 + +if [ "$DIR" = "" ]; then + echo "Usage: $0 | " + exit 1 +fi + +if ! which osslsigncode > /dev/null 2> /dev/null +then + echo "INFO: Not checking signature" + exit 0 +fi + +# Custom program to sign an executable +if ! which sign_exe > /dev/null 2> /dev/null +then + echo "INFO: Not checking signature" + exit 0 +fi + +RET=0 + +if [ -d "$DIR" ]; then + for F in "$DIR"/*.exe "$DIR"/*.dll + do + osslsigncode verify "$F" | grep "Signature verification: ok" + if [ $? != 0 ]; then + echo "Signature verification: failed for $F" + RET=1 + fi + done + +else + for F in $* + do + osslsigncode verify "$F" | grep "Signature verification: ok" + if [ $? != 0 ]; then + echo "Signature verification: failed for $F" + RET=1 + fi + done +fi + +if [ $RET != 0 ]; then + echo "ERROR: Some files are not signed correctly" +fi +exit $RET diff --git a/bacula/src/win32/win32_installer/Makefile b/bacula/src/win32/win32_installer/Makefile index 5b8d09708..b83bb3e24 100644 --- a/bacula/src/win32/win32_installer/Makefile +++ b/bacula/src/win32/win32_installer/Makefile @@ -11,6 +11,8 @@ include ../Makefile.inc +PWD := $(shell pwd) + VERSION := $(shell sed -ne 's/^.define[ \t]VERSION[ \t][ \t]*"\(.*\)"/\1/p' < ../../version.h) RELEASE ?= $(shell awk '/define RELEASE [0-9]+/ { print $$3 }' ../../version.h) @@ -174,5 +176,7 @@ $(foreach file,$(addprefix $(MAINDIR)/, $(LICENSE_FILES)),$(eval $(call Copy_Lic $(INSTALL_EXE): winbacula.nsi $(addprefix release32/,$(BACULA_BINARIES) $(SCRIPT_FILES) $(CAT_FILES) $(DEPKGS_BINARIES) $(NONGCC_BINARIES) $(NONGCC_LIBRARIES) $(MINGW_BINARIES) $(SSL_FILES) $(DIRD_FILES) $(LICENSE_FILES) ) echo "makensis -V3 $(DEFINES) winbacula.nsi" makensis -V3 $(DEFINES) winbacula.nsi + ../sign-binaries ../release32/bacula-*$(VERSION).exe + include $(BUILDDIR)/Makefile.rules diff --git a/bacula/src/win32/win64_installer/Makefile b/bacula/src/win32/win64_installer/Makefile index 98008b909..a1d728e2c 100644 --- a/bacula/src/win32/win64_installer/Makefile +++ b/bacula/src/win32/win64_installer/Makefile @@ -8,6 +8,8 @@ include ../Makefile.inc +PWD := $(shell pwd) + VERSION := $(shell sed -ne 's/^.define[ \t]VERSION[ \t][ \t]*"\(.*\)"/\1/p' < ../../version.h) RELEASE ?= $(shell awk '/define RELEASE [0-9]+/ { print $$3 }' ../../version.h) @@ -203,5 +205,6 @@ $(foreach file,$(addprefix $(MAINDIR)/, $(LICENSE_FILES)),$(eval $(call Copy_Lic $(INSTALL_EXE): winbacula.nsi $(addprefix release64/,$(BACULA_BINARIES) $(DEPKGS_BINARIES) $(SSL_FILES) $(LICENSE_FILES)) makensis -V3 $(DEFINES) winbacula.nsi echo " " + ../sign-binaries ../release64/bacula-*$(VERSION).exe include $(BUILDDIR)/Makefile.rules