Load installer sign keys from outside of repo

2018-10-08 01:21:34 +02:00 · 2018-10-08 01:21:34 +02:00 · c53773a914
commit c53773a914
parent 121ca4c398
6 changed files with 45 additions and 37 deletions
--- a/build.py
+++ b/build.py
@ -7,14 +7,10 @@ import base64
 import sys
 import zipfile
 import re
 import json
-MSBUILD_PATH = r"C:\Dev\VS2017\MSBuild\15.0\Bin\MSBuild.exe"
+CONFIG = json.loads(open('../misc/config/build_py_conf.json', 'r').read())
-NSIS_PATH = r'C:\Dev\NSIS\makeNSIS.EXE'
+SIGNTOOL_PASS = str(win32crypt.CryptUnprotectData(base64.b64decode(CONFIG["SIGNTOOL_ENC_PASS"]), None, None, None, 0)[1].decode('utf-16-le'))
 SIGNTOOL_PATH = r'c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe'
 SIGNTOOL_KEY_PATH = "" # path to key file
 SIGNTOOL_PASS = "" # password
 def RmTree(path):
  try:
@ -34,7 +30,7 @@ def CopyFile(src, dst):
 def SignExe(src):
  print ('Signing %s' % src)
-  cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (SIGNTOOL_KEY_PATH, SIGNTOOL_PASS, src)
+  cmd = r'""%s" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (CONFIG["SIGNTOOL_PATH"], CONFIG["SIGNTOOL_KEY_PATH"], SIGNTOOL_PASS, src)
  #cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign %s ' % (SIGNTOOL_KEY_PATH, )
  x = os.system(cmd)
  if x:
@ -53,36 +49,45 @@ def GetVersion():
 command = sys.argv[1]
-BASE = r'D:\Code\TunSafe'
+BASE = os.getcwd()
 if command == 'build_tap':
-  Run(r'%s /V4 installer\tap\tap-windows6.nsi'  % NSIS_PATH)
+  Run(r'%s /V4 installer\tap\tap-windows6.nsi'  % CONFIG["NSIS_PATH"])
  SignExe(r'installer\tap\TunSafe-TAP-9.21.2.exe')
  sys.exit(0)
 if 1:
-  RmTree(BASE + r'\Win32\Release')
+  RmTree(BASE + r'\build')
-  RmTree(BASE + r'\x64\Release')
+  Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=x64' % CONFIG["MSBUILD_PATH"])
-  Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=x64' % MSBUILD_PATH)
+  Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=Win32' % CONFIG["MSBUILD_PATH"])
  Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=Win32' % MSBUILD_PATH)
 if 1:
-  CopyFile(BASE + r'\Win32\Release\TunSafe.exe',
+  try:
-           BASE + r'\installer\x86\TunSafe.exe')
+    os.mkdir(BASE + r'\installer\x86')
-
+  except FileExistsError:
    pass
  CopyFile(BASE + r'\build\Win32_Release\TunSafe.exe', BASE + r'\installer\x86\TunSafe.exe')
  CopyFile(BASE + r'\build\Win32_Release\ts.exe', BASE + r'\installer\x86\ts.exe')
  SignExe(BASE + r'\installer\x86\TunSafe.exe')
-  CopyFile(BASE + r'\x64\Release\TunSafe.exe',
+  SignExe(BASE + r'\installer\x86\ts.exe')
-           BASE + r'\installer\x64\TunSafe.exe')
+
  try:
    os.mkdir(BASE + r'\installer\x64')
  except FileExistsError:
    pass
  CopyFile(BASE + r'\build\x64_Release\TunSafe.exe',   BASE + r'\installer\x64\TunSafe.exe')
  CopyFile(BASE + r'\build\x64_Release\ts.exe',   BASE + r'\installer\x64\ts.exe')
  SignExe(BASE + r'\installer\x64\TunSafe.exe')
  SignExe(BASE + r'\installer\x64\ts.exe')
 VERSION = GetVersion()
-Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (NSIS_PATH, VERSION))
+Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (CONFIG["NSIS_PATH"], VERSION))
 SignExe(BASE + r'\installer\TunSafe-%s.exe' % VERSION)
 zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x86.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED)
 zipf.write(BASE + r'\installer\x86\TunSafe.exe', 'TunSafe.exe')
 zipf.write(BASE + r'\installer\x86\ts.exe', 'ts.exe')
 zipf.write(BASE + r'\installer\License.txt', 'License.txt')
 zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt')
 zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf')
@ -90,6 +95,7 @@ zipf.close()
 zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x64.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED)
 zipf.write(BASE + r'\installer\x64\TunSafe.exe', 'TunSafe.exe')
 zipf.write(BASE + r'\installer\x64\ts.exe', 'ts.exe')
 zipf.write(BASE + r'\installer\License.txt', 'License.txt')
 zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt')
 zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf')
--- a/installer/signplugin.dll
+++ b/installer/signplugin.dll
--- a/installer/signplugin/ed_signtool.py
+++ b/installer/signplugin/ed_signtool.py
@ -1,4 +1,4 @@
-import hashlib
+import hashlib, json
 def H(m):
  return hashlib.sha512(m).digest()
@ -6,17 +6,21 @@ def H(m):
 import ed25519
 import os
-sk = "".join(chr(c) for c in [4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235])
+# Load signing keys from location outside of repo
-pk = "".join(chr(c) for c in [79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99])
+keys = json.loads(file('../../../misc/config/installer_signing_key.json', 'r').read())
-hash = H(file('../tap/TunSafe-TAP-9.21.2.exe', 'rb').read()) 
+def tobin(xs):
  return "".join(chr(x) for x in xs)
 def gen_key():
  sk = os.urandom(32)
  pk = ed25519.publickey(sk)
  print 'sk', [ord(c) for c in sk]
  print 'pk', [ord(c) for c in pk]
 hash = H(file('../tap/TunSafe-TAP-auto.exe', 'rb').read()) 
 print hash.encode('hex'), repr(hash)
 #sk = os.urandom(32)
 #pk = ed25519.publickey(sk)
 #print 'sk', [ord(c) for c in sk]
 #print 'pk', [ord(c) for c in pk]
 #m = 'test'
-s = ed25519.signature(hash,sk,pk)
+s = ed25519.signature(hash, tobin(keys['PRIVATE_KEY']), tobin(keys['PUBLIC_KEY']))
-file('../tap/TunSafe-TAP-9.21.2.exe.sig', 'wb').write(s.encode('hex'))
+file('../tap/TunSafe-TAP-auto.exe.sig', 'wb').write(s.encode('hex'))
--- a/installer/signplugin/main.cpp
+++ b/installer/signplugin/main.cpp
@ -7,12 +7,9 @@ extern "C" {
 // To work with Unicode version of NSIS, please use TCHAR-type
 // functions for accessing the variables and the stack.
 unsigned char buffer[4096];
-// sk[4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235]
+#include "../../../misc/config/installer_signing_key_pub.h"
 // pk[79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99]
 static const unsigned char pk[32] = {79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99};
 int CheckFile(char *file) {
  sha512_state ctx;
--- a/installer/tap/tap-windows6.nsi
+++ b/installer/tap/tap-windows6.nsi
@ -59,6 +59,7 @@ Name "${PRODUCT_NAME}"
 !define MUI_TEXT_LICENSE_TITLE "Welcome to the TunSafe-TAP installer"
 #!insertmacro MUI_PAGE_WELCOME
 !define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre
 !insertmacro MUI_PAGE_LICENSE "COPYING"
 #!insertmacro MUI_PAGE_COMPONENTS
 !define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre