Bugzilla – Full Text Bug Listing
| Summary: | Need support for signing windows exes | ||
|---|---|---|---|
| Product: | Community | Reporter: | Thomas Watson <tjwatson> |
| Component: | Servers | Assignee: | Thanh Ha <thanh.ha> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | P2 | CC: | aniefer, daniel_megert, denis.roy, john.arthorne, kim.moir, mike.milinkovich, remy.suen, samw, stephen.francisco |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Windows All | ||
| Whiteboard: | |||
| Bug Depends on: | |||
| Bug Blocks: | 319419 | ||
|
Description
Thomas Watson
Can't we just replace the EXE with a batch file :-) I'll start looking at what's required to get this working. I'm guessing it's only going to work on the Windows 7 slave. -M. I've installed the tools on our Windows 7 hudson slave(presently connected to our 'new' master instance). I'll need someone with build and signing experience on Windows to help get everything tested and verified. -M. > I'll need someone with build and signing experience on Windows to help get
> everything tested and verified.
How about just downloading the win32 Eclipse ZIP file, extracting it, and attempting to sign eclipse.exe ?
The download the entire thing to your Windows box and trying it out. Success if you don't get a warning, failure if you do?
I wasn't sure if I should comment here or in bug 319419, but I guess we need a new hudson job for this. Either a new job for Equinox "equinox-sign-win32" (accessible to aniefer, tjwatson, kmoir), or a generic job that anyone can use to sign an exe (accessible to people with signing permission?). If we use a equinox specific job, a hint about what the command line for the tool looks like would also be good. We'd probably stick an ant script or batch file in /cvsroot/rt/org.eclipse.equinox/framework/releng/org.eclipse.equinox.launcher.releng I've created an equinox job to get things started. My best advice on the command line would be the links here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=319419#c3. That's why I was asking for help testing this. I can tell you the sign tool is installed here: c:\Program Files\Microsoft SDKs\Windows\v7.0\Bin . -M. The piece I'm not sure about is the certificate. From here, http://msdn.microsoft.com/en-us/library/aa387764%28VS.85%29.aspx It looks like we need to specify the certificate file: /fSignCertFile : Specifies the signing certificate in a file. Only the Personal Information Exchange (PFX) file format is supported. You can use the PVK2PFX.exe tool to convert SPC and PVK files to PFX format. The alternative seems to be having the certificate in a store. I'm assuming this is the same certificate we use for signing bundles, perhaps we need a script to encapsulate this in the same way we do there. I've managed to convert our signing key into the Microsoft desired type. I also created a script called 'sign' and added that to the hudson users path. So you should just be able to call: sign c:\path\to\my.file in your build scripts. -M. Is this something that can be done in 3.6.2 (and later) builds? (In reply to comment #9) > Is this something that can be done in 3.6.2 (and later) builds? Can you be more specific about what you'd like to do? -M. (In reply to comment #10) > (In reply to comment #9) > > Is this something that can be done in 3.6.2 (and later) builds? > > Can you be more specific about what you'd like to do? > > -M. The desired behaviour is for the eclipse.exe to have an embedded manifest to trigger the UAC prompt on Vista and then when the prompt comes up, it be properly signed. This bug is about adding infrastructure for signing executables at the foundation. From Matt's comment #8 it sounds like this is completed. The only thing remaining is for a project that has executables to try this out and report if there are any problems with it. One such project of course is the Platform, which produces eclipse.exe. Bug 319419 covers the task up adding signing support in the Eclipse Platform build to sign eclipse.exe. I believe Thanh has been working on this. Stay tuned. (In reply to comment #13) > I believe Thanh has been working on this. Stay tuned. I think we really, really need to be signing the Windows .exe files for the next release. Thanh, what do you need to make this happen? (In reply to comment #14) > (In reply to comment #13) > > I believe Thanh has been working on this. Stay tuned. > > I think we really, really need to be signing the Windows .exe files for the > next release. > > Thanh, what do you need to make this happen? The scripts exists, we just need to set this up on a server somewhere. It works similar to the jarsigner service that exists today. The script also needs a copy of the ssl cert in Microsoft's format. We can discuss this after EclipseCon. > The script also needs a copy of the ssl cert in Microsoft's format. We can > discuss this after EclipseCon. The Mac and Windows scripts have been added to the web-based signing service, and I've updated the docs: http://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service_.28Instant.29 Matt, when you get a moment, can you transform our code signing cert into the format that MS wants so we can close this one? The signing service is now available and instructions on how to use it can be found on the wiki:
http://wiki.eclipse.org/IT_Infrastructure_Doc#Web_service_.28Instant.29
|