From c53773a9146cbec6ae77b1f2a1f7c59b21dda7c2 Mon Sep 17 00:00:00 2001 From: Ludvig Strigeus Date: Mon, 8 Oct 2018 01:21:34 +0200 Subject: [PATCH] Load installer sign keys from outside of repo --- build.py | 48 ++++++++++++++++------------ installer/signplugin.dll | Bin 10752 -> 10752 bytes installer/signplugin/.gitignore | 2 +- installer/signplugin/ed_signtool.py | 26 ++++++++------- installer/signplugin/main.cpp | 5 +-- installer/tap/tap-windows6.nsi | 1 + 6 files changed, 45 insertions(+), 37 deletions(-) diff --git a/build.py b/build.py index 8bcfe72..f4dedb9 100644 --- a/build.py +++ b/build.py @@ -7,14 +7,10 @@ import base64 import sys import zipfile import re +import json -MSBUILD_PATH = r"C:\Dev\VS2017\MSBuild\15.0\Bin\MSBuild.exe" -NSIS_PATH = r'C:\Dev\NSIS\makeNSIS.EXE' - - -SIGNTOOL_PATH = r'c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe' -SIGNTOOL_KEY_PATH = "" # path to key file -SIGNTOOL_PASS = "" # password +CONFIG = json.loads(open('../misc/config/build_py_conf.json', 'r').read()) +SIGNTOOL_PASS = str(win32crypt.CryptUnprotectData(base64.b64decode(CONFIG["SIGNTOOL_ENC_PASS"]), None, None, None, 0)[1].decode('utf-16-le')) def RmTree(path): try: @@ -34,7 +30,7 @@ def CopyFile(src, dst): def SignExe(src): print ('Signing %s' % src) - cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (SIGNTOOL_KEY_PATH, SIGNTOOL_PASS, src) + cmd = r'""%s" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (CONFIG["SIGNTOOL_PATH"], CONFIG["SIGNTOOL_KEY_PATH"], SIGNTOOL_PASS, src) #cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign %s ' % (SIGNTOOL_KEY_PATH, ) x = os.system(cmd) if x: @@ -53,36 +49,45 @@ def GetVersion(): command = sys.argv[1] -BASE = r'D:\Code\TunSafe' - +BASE = os.getcwd() if command == 'build_tap': - Run(r'%s /V4 installer\tap\tap-windows6.nsi' % NSIS_PATH) + Run(r'%s /V4 installer\tap\tap-windows6.nsi' % CONFIG["NSIS_PATH"]) SignExe(r'installer\tap\TunSafe-TAP-9.21.2.exe') sys.exit(0) if 1: - RmTree(BASE + r'\Win32\Release') - RmTree(BASE + r'\x64\Release') - Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=x64' % MSBUILD_PATH) - Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=Win32' % MSBUILD_PATH) + RmTree(BASE + r'\build') + Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=x64' % CONFIG["MSBUILD_PATH"]) + Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=Win32' % CONFIG["MSBUILD_PATH"]) if 1: - CopyFile(BASE + r'\Win32\Release\TunSafe.exe', - BASE + r'\installer\x86\TunSafe.exe') - + try: + os.mkdir(BASE + r'\installer\x86') + except FileExistsError: + pass + CopyFile(BASE + r'\build\Win32_Release\TunSafe.exe', BASE + r'\installer\x86\TunSafe.exe') + CopyFile(BASE + r'\build\Win32_Release\ts.exe', BASE + r'\installer\x86\ts.exe') SignExe(BASE + r'\installer\x86\TunSafe.exe') - CopyFile(BASE + r'\x64\Release\TunSafe.exe', - BASE + r'\installer\x64\TunSafe.exe') + SignExe(BASE + r'\installer\x86\ts.exe') + + try: + os.mkdir(BASE + r'\installer\x64') + except FileExistsError: + pass + CopyFile(BASE + r'\build\x64_Release\TunSafe.exe', BASE + r'\installer\x64\TunSafe.exe') + CopyFile(BASE + r'\build\x64_Release\ts.exe', BASE + r'\installer\x64\ts.exe') SignExe(BASE + r'\installer\x64\TunSafe.exe') + SignExe(BASE + r'\installer\x64\ts.exe') VERSION = GetVersion() -Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (NSIS_PATH, VERSION)) +Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (CONFIG["NSIS_PATH"], VERSION)) SignExe(BASE + r'\installer\TunSafe-%s.exe' % VERSION) zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x86.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED) zipf.write(BASE + r'\installer\x86\TunSafe.exe', 'TunSafe.exe') +zipf.write(BASE + r'\installer\x86\ts.exe', 'ts.exe') zipf.write(BASE + r'\installer\License.txt', 'License.txt') zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt') zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf') @@ -90,6 +95,7 @@ zipf.close() zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x64.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED) zipf.write(BASE + r'\installer\x64\TunSafe.exe', 'TunSafe.exe') +zipf.write(BASE + r'\installer\x64\ts.exe', 'ts.exe') zipf.write(BASE + r'\installer\License.txt', 'License.txt') zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt') zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf') diff --git a/installer/signplugin.dll b/installer/signplugin.dll index ef19ae8ebd964c815c8a66649bcd58e8dc805592..21613cf79d192b33998205e7c02eea555b3e4d37 100644 GIT binary patch delta 72 zcmZn&X$YC{gGJw?AbR5;6Ilf|`K8)htha_H>6i8-$*Tw#NqV)z0@AE}SV??3*$xWb2`S Y$(sY@zOaCmPxerj0W&sdD9>O60Pn3I`Tzg` diff --git a/installer/signplugin/.gitignore b/installer/signplugin/.gitignore index 99e1bf3..ac56cfb 100644 --- a/installer/signplugin/.gitignore +++ b/installer/signplugin/.gitignore @@ -1,3 +1,3 @@ /Debug/ /Release/ -/.vs/ \ No newline at end of file +/.vs/ diff --git a/installer/signplugin/ed_signtool.py b/installer/signplugin/ed_signtool.py index 3f8d0dd..5652867 100644 --- a/installer/signplugin/ed_signtool.py +++ b/installer/signplugin/ed_signtool.py @@ -1,4 +1,4 @@ -import hashlib +import hashlib, json def H(m): return hashlib.sha512(m).digest() @@ -6,17 +6,21 @@ def H(m): import ed25519 import os -sk = "".join(chr(c) for c in [4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235]) -pk = "".join(chr(c) for c in [79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99]) +# Load signing keys from location outside of repo +keys = json.loads(file('../../../misc/config/installer_signing_key.json', 'r').read()) -hash = H(file('../tap/TunSafe-TAP-9.21.2.exe', 'rb').read()) +def tobin(xs): + return "".join(chr(x) for x in xs) + +def gen_key(): + sk = os.urandom(32) + pk = ed25519.publickey(sk) + print 'sk', [ord(c) for c in sk] + print 'pk', [ord(c) for c in pk] + +hash = H(file('../tap/TunSafe-TAP-auto.exe', 'rb').read()) print hash.encode('hex'), repr(hash) -#sk = os.urandom(32) -#pk = ed25519.publickey(sk) -#print 'sk', [ord(c) for c in sk] -#print 'pk', [ord(c) for c in pk] - #m = 'test' -s = ed25519.signature(hash,sk,pk) -file('../tap/TunSafe-TAP-9.21.2.exe.sig', 'wb').write(s.encode('hex')) +s = ed25519.signature(hash, tobin(keys['PRIVATE_KEY']), tobin(keys['PUBLIC_KEY'])) +file('../tap/TunSafe-TAP-auto.exe.sig', 'wb').write(s.encode('hex')) diff --git a/installer/signplugin/main.cpp b/installer/signplugin/main.cpp index db8c2f4..0d23a53 100644 --- a/installer/signplugin/main.cpp +++ b/installer/signplugin/main.cpp @@ -7,12 +7,9 @@ extern "C" { // To work with Unicode version of NSIS, please use TCHAR-type // functions for accessing the variables and the stack. - unsigned char buffer[4096]; -// sk[4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235] -// pk[79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99] -static const unsigned char pk[32] = {79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99}; +#include "../../../misc/config/installer_signing_key_pub.h" int CheckFile(char *file) { sha512_state ctx; diff --git a/installer/tap/tap-windows6.nsi b/installer/tap/tap-windows6.nsi index 1580ea6..7642fca 100644 --- a/installer/tap/tap-windows6.nsi +++ b/installer/tap/tap-windows6.nsi @@ -59,6 +59,7 @@ Name "${PRODUCT_NAME}" !define MUI_TEXT_LICENSE_TITLE "Welcome to the TunSafe-TAP installer" #!insertmacro MUI_PAGE_WELCOME +!define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre !insertmacro MUI_PAGE_LICENSE "COPYING" #!insertmacro MUI_PAGE_COMPONENTS !define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre