@eht16 commented on this pull request.
-ts http://zeitstempel.dfn.de/ \
+ -h sha512 \ + -in ${1} \ + -out ${1}-signed + mv ${1}-signed ${1} + else + echo "Skip signing due to missing certificate" + fi +} + + +sign_geany_binaries() { + log "Signing Geany binary files" + for binary_file_pattern in ${GEANY_RELEASE_BINARY_PATTERNS[@]}; do + for binary_file in $(ls ${binary_file_pattern}); do + sign_file ${binary_file}
osslsigncode (and probably the original "signcode.exe" tool) are made for signing binary files, see https://github.com/mtrojnar/osslsigncode#what-can-it-do.
To get sure things haven't changed, I tried to sign an arbitary text file: ``` root@9214a3c76917:/build# osslsigncode sign -certs /certs/cert.pem -key /certs/key.pem -n "Test file" -i "https://www.geany.org/" -ts http://zeitstempel.dfn.de/ -h sha512 -in /etc/wgetrc -out wgetrc-s Unrecognized file type: /etc/wgetrc 140619785353856:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140619785353856:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=PKCS8_PRIV_KEY_INFO 140619785353856:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140619785353856:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:572: 140619785353856:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140619785353856:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=RSAPrivateKey 140619785353856:error:04093004:rsa routines:old_rsa_priv_decode:RSA lib:../crypto/rsa/rsa_ameth.c:142: 140619785353856:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 140619785353856:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=PKCS8_PRIV_KEY_INFO Failed ```
Note, for the CI builds nothing is signed because no certificates are available to the build container. It wouldn't make sense to sign automatically built code since we have no control over the build system and its integrity, how should we tell the user that the generated binaries are really clean? Additionally, we had to give the build system access to the private key of a certificate which would mean Github can access and in the worst case manipulate the certificate. So, CI builds should never be trusted.