Patchwork D10684: pyoxidizer: support code signing

login
register
mail settings
Submitter phabricator
Date May 7, 2021, 12:01 a.m.
Message ID <differential-rev-PHID-DREV-kd25v27nxpqsvtznqrre-req@mercurial-scm.org>
Download mbox | patch
Permalink /patch/49003/
State Superseded
Headers show

Comments

phabricator - May 7, 2021, 12:01 a.m.
indygreg created this revision.
Herald added a reviewer: hg-reviewers.
Herald added a subscriber: mercurial-patches.

REVISION SUMMARY
  Newer versions of PyOxidizer feature built-in support for
  code signing. You simply declare a code signer in the Starlark
  configuration file, activate it for automatic signing, and
  PyOxidizer will add code signatures to signable files as it
  encounters them.
  
  This commit teaches our Starlark configuration file to enable
  automatic code signing. But only on Windows for the moment, as our
  immediate goal is to overhaul the Windows packaging.
  
  The feature is opt-in: you must pass variables to PyOxidizer's
  build context via `pyoxidizer build --var` or
  `pyoxidizer build --var-env` to activate code signing.

REPOSITORY
  rHG Mercurial

BRANCH
  default

REVISION DETAIL
  https://phab.mercurial-scm.org/D10684

AFFECTED FILES
  rust/hgcli/pyoxidizer.bzl

CHANGE DETAILS




To: indygreg, #hg-reviewers
Cc: mercurial-patches, mercurial-devel

Patch

diff --git a/rust/hgcli/pyoxidizer.bzl b/rust/hgcli/pyoxidizer.bzl
--- a/rust/hgcli/pyoxidizer.bzl
+++ b/rust/hgcli/pyoxidizer.bzl
@@ -8,12 +8,29 @@ 
 #
 # EXTRA_MSI_FEATURES
 #   ; delimited string of extra features to advertise in the built MSA.
+#
+# SIGNING_PFX_PATH
+#   Path to code signing certificate to use.
+#
+# SIGNING_PFX_PASSWORD
+#   Password to code signing PFX file defined by SIGNING_PFX_PATH.
+#
+# SIGNING_SUBJECT_NAME
+#   String fragment in code signing certificate subject name used to find
+#   code signing certificate in Windows certificate store.
+#
+# TIME_STAMP_SERVER_URL
+#   URL of time-stamp token authority (RFC 3161) servers to stamp code signatures.
 
 ROOT = CWD + "/../.."
 
 VERSION = VARS.get("VERSION", "5.8")
 MSI_NAME = VARS.get("MSI_NAME", "mercurial")
 EXTRA_MSI_FEATURES = VARS.get("EXTRA_MSI_FEATURES")
+SIGNING_PFX_PATH = VARS.get("SIGNING_PFX_PATH")
+SIGNING_PFX_PASSWORD = VARS.get("SIGNING_PFX_PASSWORD", "")
+SIGNING_SUBJECT_NAME = VARS.get("SIGNING_SUBJECT_NAME")
+TIME_STAMP_SERVER_URL = VARS.get("TIME_STAMP_SERVER_URL", "http://timestamp.digicert.com")
 
 IS_WINDOWS = "windows" in BUILD_TARGET_TRIPLE
 
@@ -230,6 +247,24 @@ 
     return wix
 
 
+def register_code_signers():
+    if not IS_WINDOWS:
+        return
+
+    if SIGNING_PFX_PATH:
+        signer = code_signer_from_pfx_file(SIGNING_PFX_PATH, SIGNING_PFX_PASSWORD)
+    elif SIGNING_SUBJECT_NAME:
+        signer = code_signer_from_windows_store_subject(SIGNING_SUBJECT_NAME)
+    else:
+        signer = None
+
+    if signer:
+        signer.set_time_stamp_server(TIME_STAMP_SERVER_URL)
+        signer.activate()
+
+
+register_code_signers()
+
 register_target("distribution", make_distribution)
 register_target("exe", make_exe, depends = ["distribution"])
 register_target("app", make_manifest, depends = ["distribution", "exe"], default = True)