30 | | 1. Run ''buildtap.py'' on the build computer, using the SHA1 certificate for signing. Make sure to include the correct cross-certificate and to timestamp the signature. Creating the installer (buildtap.py -p) does not make any sense right here. |
31 | | 1. Copy tap6.tar.gz to the signing computer |
32 | | 1. Unpack tap6.tar.gz on the signing computer |
33 | | 1. Copy pre-built 32-bit and 64-bit tapinstall.exe's to ''tap6/i386'' and ''tap6/amd64'', respectively |
34 | | 1. Append signatures to ''tapinstall.exe'' and ''tap0901.cat'' files. The [https://github.com/mattock/sign-tap6/ Sign-Tap6 tool] is a convenient way to do this. Ensure you're using the correct cross-certificate and that you timestamp the signature. |
35 | | 1. Copy the dual-signed files back to the build computer |
36 | | 1. Copy the contents of the dual-signed tap6 directory to ''dist'' in tap-windows6 build root. |
37 | | 1. Run ''buildtap.py'' again using the same parameters as before, but ensure you do not ''clean'' (-c) or ''build'' (-b). You should only ''package'' (-p) the dist directory into an installer. |
38 | | 1. Copy the resulting ''installer'' to the code-signing computer, and append a signature to it using the EV SHA2 certificate. Right now, this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1]. |
| 28 | The actual build/signing procedure is rather convoluted. |
44 | | === Installing certificates === |
| 34 | {{{ |
| 35 | $ python buildtap.py -b <certificate-options> |
| 36 | }}} |
| 37 | |
| 38 | '''NOTE:''' using the "-c" switch will wipe out any pre-built tapinstall.exe's in the ''tapinstall'' directory, so be careful with it. |
| 39 | |
| 40 | Copy the following files to the ''code-signing computer'': |
| 41 | |
| 42 | * tap6.tar.gz |
| 43 | * 32-bit tapinstall.exe (renamed to tapinstall32.exe) |
| 44 | * 64-bit tapinstall.exe (renamed to tapinstall64.exe) |
| 45 | |
| 46 | '''On code-signing computer''' |
| 47 | |
| 48 | Clone the [https://github.com/mattock/sign-tap6/ Sign-Tap6] repository. Copy ''tap6.tar.gz'' to the ''sign-tap6'' directory and extract it: |
| 49 | |
| 50 | {{{ |
| 51 | $ tar -zxf tap6.tar.gz |
| 52 | }}} |
| 53 | |
| 54 | Move tapinstall.exe's to the ''tap6'' directory: |
| 55 | |
| 56 | {{{ |
| 57 | $ mv tapinstall32.exe tap6/i386 |
| 58 | $ mv tapinstall64.exe tap6/amd64 |
| 59 | }}} |
| 60 | |
| 61 | Next append secondary signatures to ''tapinstall.exe'' and ''tap0901.cat'' files under ''tap6'' using [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1]. Ensure that you're using the correct cross-certificate and that you timestamp the signature. |
| 62 | |
| 63 | Now wrap the dual-signed files into a tarball (e.g. using Git Bash): |
| 64 | |
| 65 | {{{ |
| 66 | $ tar -zxf tap6-dual-signed.tar.gz tap6 |
| 67 | }}} |
| 68 | |
| 69 | Copy the dual-signed tarball back to the ''build computer''. |
| 70 | |
| 71 | '''On build computer''' |
| 72 | |
| 73 | Extract contents of tap6-dual-signed.tar.gz to tap-windows6 root: |
| 74 | |
| 75 | {{{ |
| 76 | $ rm -rf dist tap6 |
| 77 | $ tar -zxf tap6-dual-signed.tar.gz |
| 78 | $ mv tap6 dist |
| 79 | }}} |
| 80 | |
| 81 | Run ''buildtap.py'' again using the same parameters as before, but ensure that you do not ''clean'' (-c) or ''build'' (-b). You should only ''package'' (-p) the dist directory into an installer. Copy the resulting ''installer'' to the ''code-signing computer'', or sign the installer using a user-mode code-signing SHA2 certificate on the ''build computer'' itself. |
| 82 | |
| 83 | '''On code-signing computer''' |
| 84 | |
| 85 | Append a signature to the tap-windows-<versio>-<buildnum>.exe using ''Sign-Tap6.ps1''. Make sure you use the EV SHA2 certificate. Right now this process has not been automated, but the command-line is fairly easy to construct manually by looking at [https://github.com/mattock/sign-tap6/ Sign-Tap6.ps1]. |
| 86 | |
| 87 | ---- |
| 88 | |
| 89 | If this process sounds complicated, that's because it is. At some point would make sense to adapt buildtap.py to add both signatures automatically, which would simplify the process dramatically. However, that would require porting buildtap.py to Windows Kit 10, which would require a non-trivial amount of work. |
| 90 | |
| 91 | = Useful commands = |
| 92 | |
| 93 | == Installing certificates == |