Load installer sign keys from outside of repo

This commit is contained in:
Ludvig Strigeus 2018-10-08 01:21:34 +02:00
parent 121ca4c398
commit c53773a914
6 changed files with 45 additions and 37 deletions

View file

@ -7,14 +7,10 @@ import base64
import sys
import zipfile
import re
import json
MSBUILD_PATH = r"C:\Dev\VS2017\MSBuild\15.0\Bin\MSBuild.exe"
NSIS_PATH = r'C:\Dev\NSIS\makeNSIS.EXE'
SIGNTOOL_PATH = r'c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe'
SIGNTOOL_KEY_PATH = "" # path to key file
SIGNTOOL_PASS = "" # password
CONFIG = json.loads(open('../misc/config/build_py_conf.json', 'r').read())
SIGNTOOL_PASS = str(win32crypt.CryptUnprotectData(base64.b64decode(CONFIG["SIGNTOOL_ENC_PASS"]), None, None, None, 0)[1].decode('utf-16-le'))
def RmTree(path):
try:
@ -34,7 +30,7 @@ def CopyFile(src, dst):
def SignExe(src):
print ('Signing %s' % src)
cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (SIGNTOOL_KEY_PATH, SIGNTOOL_PASS, src)
cmd = r'""%s" sign /f "%s" /p %s /t http://timestamp.verisign.com/scripts/timstamp.dll "%s"' % (CONFIG["SIGNTOOL_PATH"], CONFIG["SIGNTOOL_KEY_PATH"], SIGNTOOL_PASS, src)
#cmd = r'""c:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x86\signtool.exe" sign %s ' % (SIGNTOOL_KEY_PATH, )
x = os.system(cmd)
if x:
@ -53,36 +49,45 @@ def GetVersion():
command = sys.argv[1]
BASE = r'D:\Code\TunSafe'
BASE = os.getcwd()
if command == 'build_tap':
Run(r'%s /V4 installer\tap\tap-windows6.nsi' % NSIS_PATH)
Run(r'%s /V4 installer\tap\tap-windows6.nsi' % CONFIG["NSIS_PATH"])
SignExe(r'installer\tap\TunSafe-TAP-9.21.2.exe')
sys.exit(0)
if 1:
RmTree(BASE + r'\Win32\Release')
RmTree(BASE + r'\x64\Release')
Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=x64' % MSBUILD_PATH)
Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /p:Platform=Win32' % MSBUILD_PATH)
RmTree(BASE + r'\build')
Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=x64' % CONFIG["MSBUILD_PATH"])
Run('%s TunSafe.sln /t:Clean;Rebuild /p:Configuration=Release /m /p:Platform=Win32' % CONFIG["MSBUILD_PATH"])
if 1:
CopyFile(BASE + r'\Win32\Release\TunSafe.exe',
BASE + r'\installer\x86\TunSafe.exe')
try:
os.mkdir(BASE + r'\installer\x86')
except FileExistsError:
pass
CopyFile(BASE + r'\build\Win32_Release\TunSafe.exe', BASE + r'\installer\x86\TunSafe.exe')
CopyFile(BASE + r'\build\Win32_Release\ts.exe', BASE + r'\installer\x86\ts.exe')
SignExe(BASE + r'\installer\x86\TunSafe.exe')
CopyFile(BASE + r'\x64\Release\TunSafe.exe',
BASE + r'\installer\x64\TunSafe.exe')
SignExe(BASE + r'\installer\x86\ts.exe')
try:
os.mkdir(BASE + r'\installer\x64')
except FileExistsError:
pass
CopyFile(BASE + r'\build\x64_Release\TunSafe.exe', BASE + r'\installer\x64\TunSafe.exe')
CopyFile(BASE + r'\build\x64_Release\ts.exe', BASE + r'\installer\x64\ts.exe')
SignExe(BASE + r'\installer\x64\TunSafe.exe')
SignExe(BASE + r'\installer\x64\ts.exe')
VERSION = GetVersion()
Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (NSIS_PATH, VERSION))
Run(r'%s /V4 -DPRODUCT_VERSION=%s installer\tunsafe.nsi ' % (CONFIG["NSIS_PATH"], VERSION))
SignExe(BASE + r'\installer\TunSafe-%s.exe' % VERSION)
zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x86.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED)
zipf.write(BASE + r'\installer\x86\TunSafe.exe', 'TunSafe.exe')
zipf.write(BASE + r'\installer\x86\ts.exe', 'ts.exe')
zipf.write(BASE + r'\installer\License.txt', 'License.txt')
zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt')
zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf')
@ -90,6 +95,7 @@ zipf.close()
zipf = zipfile.ZipFile(BASE + '\installer\TunSafe-%s-x64.zip' % VERSION, 'w', zipfile.ZIP_DEFLATED)
zipf.write(BASE + r'\installer\x64\TunSafe.exe', 'TunSafe.exe')
zipf.write(BASE + r'\installer\x64\ts.exe', 'ts.exe')
zipf.write(BASE + r'\installer\License.txt', 'License.txt')
zipf.write(BASE + r'\installer\ChangeLog.txt', 'ChangeLog.txt')
zipf.write(BASE + r'\installer\TunSafe.conf', 'Config\\TunSafe.conf')

Binary file not shown.

View file

@ -1,3 +1,3 @@
/Debug/
/Release/
/.vs/
/.vs/

View file

@ -1,4 +1,4 @@
import hashlib
import hashlib, json
def H(m):
return hashlib.sha512(m).digest()
@ -6,17 +6,21 @@ def H(m):
import ed25519
import os
sk = "".join(chr(c) for c in [4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235])
pk = "".join(chr(c) for c in [79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99])
# Load signing keys from location outside of repo
keys = json.loads(file('../../../misc/config/installer_signing_key.json', 'r').read())
hash = H(file('../tap/TunSafe-TAP-9.21.2.exe', 'rb').read())
def tobin(xs):
return "".join(chr(x) for x in xs)
def gen_key():
sk = os.urandom(32)
pk = ed25519.publickey(sk)
print 'sk', [ord(c) for c in sk]
print 'pk', [ord(c) for c in pk]
hash = H(file('../tap/TunSafe-TAP-auto.exe', 'rb').read())
print hash.encode('hex'), repr(hash)
#sk = os.urandom(32)
#pk = ed25519.publickey(sk)
#print 'sk', [ord(c) for c in sk]
#print 'pk', [ord(c) for c in pk]
#m = 'test'
s = ed25519.signature(hash,sk,pk)
file('../tap/TunSafe-TAP-9.21.2.exe.sig', 'wb').write(s.encode('hex'))
s = ed25519.signature(hash, tobin(keys['PRIVATE_KEY']), tobin(keys['PUBLIC_KEY']))
file('../tap/TunSafe-TAP-auto.exe.sig', 'wb').write(s.encode('hex'))

View file

@ -7,12 +7,9 @@ extern "C" {
// To work with Unicode version of NSIS, please use TCHAR-type
// functions for accessing the variables and the stack.
unsigned char buffer[4096];
// sk[4, 213, 116, 80, 117, 4, 70, 166, 244, 214, 234, 159, 197, 101, 182, 177, 106, 180, 68, 125, 51, 32, 159, 77, 27, 151, 233, 91, 109, 184, 147, 235]
// pk[79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99]
static const unsigned char pk[32] = {79, 236, 107, 197, 85, 239, 235, 109, 123, 181, 230, 115, 206, 112, 218, 80, 174, 167, 119, 187, 113, 153, 17, 115, 77, 100, 154, 84, 181, 194, 254, 99};
#include "../../../misc/config/installer_signing_key_pub.h"
int CheckFile(char *file) {
sha512_state ctx;

View file

@ -59,6 +59,7 @@ Name "${PRODUCT_NAME}"
!define MUI_TEXT_LICENSE_TITLE "Welcome to the TunSafe-TAP installer"
#!insertmacro MUI_PAGE_WELCOME
!define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre
!insertmacro MUI_PAGE_LICENSE "COPYING"
#!insertmacro MUI_PAGE_COMPONENTS
!define MUI_PAGE_CUSTOMFUNCTION_PRE dirPre