On 12/12/2016 17:30, Corinna Vinschen wrote:
Hi Jon,
On Dec 12 13:29, Jon Turney wrote:
As discussed in https://cygwin.com/ml/cygwin/2015-04/msg00133.html
This is quite straightforward, but unfortunately, requires a non-technical
problem to be solved to complete.
1/ A code signing certificate signed by a CA is required.
Where do we get one which is trusted, can be checked publically,
and doesn't cost any money?
This is a trick question, right? You don't :(
Who will be keymaster and with whom do we share the private key?
2/ The signature should be timestamped, so that it remains vaild after the
signing key expires, but I assume you have to use the timestamp service of
the CA that signed the key.
This is more saying that we should use osslsigncode's -t option, but I
don't quite know how.
Looking at this again, all the examples I find use a certain CA's
timestamp service, so I think perhaps my assumption is wrong.
Not necessarily. We can workaround that by getting a new key and
release a new setup.
+sign: upx
+ @if [ -e `which osslsigncode` ]; then \
+ osslsigncode sign -certs $(srcdir)/cygwin.crt -key $(srcdir)/cygwin.key
-n "Cygwin setup" -i https://cygwin.com/ -in setup$(EXEEXT) -out
setup-signed$(EXEEXT) ;\
^^^^^^^^^
$(srcdir)?
This might not be quite right. We need to store the cert in a reasonable
safe place, certainly not in srcdir (or git).
Yes, this could be done better.
I added these filesname to .gitignore to make sure they didn't end up in
the git repo :)