diff --git a/common/windows/delphi/ext/sentry/test/Makefile b/common/windows/delphi/ext/sentry/test/Makefile index 63fc664b011..b2e92bb8964 100644 --- a/common/windows/delphi/ext/sentry/test/Makefile +++ b/common/windows/delphi/ext/sentry/test/Makefile @@ -4,7 +4,8 @@ !include ..\..\..\Defines.mak -build: dirs # version.res manifest.res +build: dirs +# version.res manifest.res $(DELPHI_MSBUILD) SentryClientTest.dproj "/p:Platform=Win32" $(DELPHI_MSBUILD) SentryClientVclTest.dproj "/p:Platform=Win32" diff --git a/common/windows/delphi/tools/Makefile b/common/windows/delphi/tools/Makefile index a9c1151473a..2ea11ab2372 100644 --- a/common/windows/delphi/tools/Makefile +++ b/common/windows/delphi/tools/Makefile @@ -7,7 +7,7 @@ NOTARGET_SIGNCODE=yes !ifdef NODELPHI TARGETS=.virtual !else -TARGETS=build_standards_data buildunidata devtools sentrytool test-klog +TARGETS=build_standards_data buildunidata devtools sentrytool test-klog verify_signatures !endif CLEANS=clean-tools @@ -28,6 +28,10 @@ buildunidata: .virtual cd $(COMMON_ROOT)\tools\buildunidata $(MAKE) $(TARGET) +verify_signatures: .virtual + cd $(COMMON_ROOT)\tools\verify_signatures + $(MAKE) $(TARGET) + devtools: .virtual !ifdef NODELPHI echo Skipping devtools diff --git a/common/windows/delphi/tools/verify_signatures/Makefile b/common/windows/delphi/tools/verify_signatures/Makefile new file mode 100644 index 00000000000..0f67747665e --- /dev/null +++ b/common/windows/delphi/tools/verify_signatures/Makefile @@ -0,0 +1,13 @@ +# +# test for signatures and version information being correct in ?install directory or ?bin directory +# + +!include ..\..\Defines.mak + +build: + $(DELPHI_MSBUILD) verify_signatures.dproj + copy sigcheck.bin $(WIN32_TARGET_PATH)\sigcheck.exe + +clean: def-clean + +!include ..\..\Target.mak diff --git a/windows/src/test/test_i3633/sigcheck.bin b/common/windows/delphi/tools/verify_signatures/sigcheck.bin similarity index 100% rename from windows/src/test/test_i3633/sigcheck.bin rename to common/windows/delphi/tools/verify_signatures/sigcheck.bin diff --git a/windows/src/test/test_i3633/verify.dpr b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr similarity index 86% rename from windows/src/test/test_i3633/verify.dpr rename to common/windows/delphi/tools/verify_signatures/verify_signatures.dpr index b3707d84617..49478ac3edf 100644 --- a/windows/src/test/test_i3633/verify.dpr +++ b/common/windows/delphi/tools/verify_signatures/verify_signatures.dpr @@ -1,4 +1,4 @@ -program verify; +program verify_signatures; {$APPTYPE CONSOLE} @@ -36,6 +36,7 @@ begin Delete(s,1,1); end; + // TODO: sign these files and move the check down to the EndsWith node test if str[0].ToLower.Contains('sentry.') or str[0].ToLower.Contains('crashpad_handler') or str[0].ToLower.Contains('keymanmc') then // We don't verify sentry.dll or sentry.x64.dll or crashpad_handler.exe because they're not our files // We don't verify keymanmc.dll because it has no version resources, as it is mc-generated @@ -62,6 +63,14 @@ begin end; end; + if str[0].ToLower.EndsWith('node') then + begin + // It's one of the node addons -- in developer server at time of writing + // we don't have a version resource but we have signed it, so treat it + // as valid + Exit(''); + end; + if str[3] <> 'SIL International' then begin Exit('File has wrong company name'); @@ -90,7 +99,7 @@ begin if (ParamStr(1) = '-?') or (ParamCount < 1) then begin - writeln('verify [-d] VERSION.md: Verify the output of sigcheck to ensure all executables are signed and have proper version.'); + writeln('verify_signatures [-d] VERSION.md: Verify the output of sigcheck to ensure all executables are signed and have proper version.'); writeln(' -d: Check the timestamp on the signature is less than 2 days old.'); writeln(' VERSION.md: path to the version to verify against'); Halt(2); diff --git a/windows/src/test/test_i3633/verify.dproj b/common/windows/delphi/tools/verify_signatures/verify_signatures.dproj similarity index 99% rename from windows/src/test/test_i3633/verify.dproj rename to common/windows/delphi/tools/verify_signatures/verify_signatures.dproj index e23aeb3a4d8..323353c79b9 100644 --- a/windows/src/test/test_i3633/verify.dproj +++ b/common/windows/delphi/tools/verify_signatures/verify_signatures.dproj @@ -3,7 +3,7 @@ {A6DCA558-8DD0-4FFF-8DAE-F305AB8D2AF4} 18.8 None - verify.dpr + verify_signatures.dpr True Debug Win32 @@ -45,7 +45,7 @@ true - verify + verify_signatures $(BDS)\bin\delphi_PROJECTICNS.icns $(BDS)\bin\delphi_PROJECTICON.ico bindcompfmx;fmx;rtl;dbrtl;DbxClientDriver;bindcomp;inetdb;DBXInterBaseDriver;xmlrtl;DbxCommonDriver;DBXMySQLDriver;dbxcds;soaprtl;bindengine;CustomIPTransport;dsnap;fmxase;inet;fmxobj;inetdbxpress;fmxdae;dbexpress;$(DCC_UsePackage) @@ -161,7 +161,7 @@ - verify.dpr + verify_signatures.dpr Microsoft Office 2000 Sample Automation Server Wrapper Components diff --git a/windows/src/test/test_i3633/verify.res b/common/windows/delphi/tools/verify_signatures/verify_signatures.res similarity index 100% rename from windows/src/test/test_i3633/verify.res rename to common/windows/delphi/tools/verify_signatures/verify_signatures.res diff --git a/developer/src/Makefile b/developer/src/Makefile index 0c6c81ece6b..6a1cf398e51 100644 --- a/developer/src/Makefile +++ b/developer/src/Makefile @@ -153,6 +153,8 @@ do-build-release: $(MAKE) build-release-dependencies $(MAKE) "SIGNCODE_BUILD=SIGNCODE_BUILD" build test $(MAKE) signcode + cd $(DEVELOPER_ROOT)\src\tools\verify_signatures + $(MAKE) test cd $(DEVELOPER_ROOT)\src\inst $(MAKE) diff --git a/developer/src/inst/download.in.mak b/developer/src/inst/download.in.mak index eeadd67ac0a..871f4b012c0 100644 --- a/developer/src/inst/download.in.mak +++ b/developer/src/inst/download.in.mak @@ -26,6 +26,9 @@ copykmdev: makeinstaller make-kmcomp-install-zip -mkdir $(DEVELOPER_ROOT)\release\$Version copy /Y $(DEVELOPER_ROOT)\src\inst\keymandeveloper.msi $(DEVELOPER_ROOT)\release\$Version\keymandeveloper.msi copy /Y $(DEVELOPER_ROOT)\src\inst\keymandeveloper-$Version.exe $(DEVELOPER_ROOT)\release\$Version\keymandeveloper-$Version.exe + $(SIGCHECK) $(DEVELOPER_ROOT)\release\$Version\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + -del sig1 test-releaseexists: if exist $(DEVELOPER_ROOT)\release\$Version\keymandeveloper*.msi echo. & echo Release $Version already exists. Delete it or update VERSION.md and try again & exit 1 diff --git a/developer/src/server/Makefile b/developer/src/server/Makefile index eef73908049..9c865755740 100644 --- a/developer/src/server/Makefile +++ b/developer/src/server/Makefile @@ -14,7 +14,10 @@ clean: .virtual -del tsconfig.tsbuildinfo signcode: - @rem nothing to do + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\console\node-hide-console-window.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\console\node-hide-console-window.x64.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\trayicon\addon.node + $(SIGNCODE) /d "Keyman Developer" $(DEVELOPER_PROGRAM)\server\dist\win32\trayicon\addon.x64.node wrap-symbols: @rem nothing to do diff --git a/developer/src/tools/verify_signatures/Makefile b/developer/src/tools/verify_signatures/Makefile new file mode 100644 index 00000000000..003f6aa5d50 --- /dev/null +++ b/developer/src/tools/verify_signatures/Makefile @@ -0,0 +1,19 @@ +# +# test for signatures and version information being correct in bin folder +# + +!include ..\..\Defines.mak + +test: prereq + $(SIGCHECK) $(DEVELOPER_PROGRAM)\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + +# prereq may not be needed? +prereq: + cd $(VERIFY_SIGNATURES_PATH) + $(MAKE) + +clean: def-clean + -del sig1 + +!include ..\..\Target.mak diff --git a/windows/src/Defines.mak b/windows/src/Defines.mak index bf8f77b9987..9506dfa6df0 100644 --- a/windows/src/Defines.mak +++ b/windows/src/Defines.mak @@ -322,3 +322,12 @@ SYMSTORE="C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symstore.exe" add /compress /f CLEAN=-del /S /Q + +# +# Signature checks +# + +VERIFY_SIGNATURES_PATH=$(KEYMAN_ROOT)\common\windows\delphi\tools\verify_signatures +# Note: hyphen prefix is important to ignore return value from sigcheck +SIGCHECK=-$(VERIFY_SIGNATURES_PATH)\$(WIN32_TARGET_PATH)\sigcheck -q -s -e -v -accepteula +VERIFY_SIGNATURES=$(VERIFY_SIGNATURES_PATH)\$(WIN32_TARGET_PATH)\verify_signatures -d $(KEYMAN_ROOT)\VERSION.md diff --git a/windows/src/Makefile b/windows/src/Makefile index 7dda8852632..e9048fcf71b 100644 --- a/windows/src/Makefile +++ b/windows/src/Makefile @@ -81,7 +81,7 @@ support: global $(MAKE) $(TARGET) cd $(ROOT)\src -test: +test: .virtual cd $(ROOT)\src\test $(MAKE) $(TARGET) cd $(ROOT)\src diff --git a/windows/src/desktop/inst/download.in b/windows/src/desktop/inst/download.in index 0bf062eeba4..17b832210cc 100644 --- a/windows/src/desktop/inst/download.in +++ b/windows/src/desktop/inst/download.in @@ -17,6 +17,10 @@ copyredist-desktop: copy /Y keymandesktop.exe $(ROOT)\release\$Version\keyman-$Version.exe copy /Y $(ROOT)\bin\desktop\setup.exe $(ROOT)\release\$Version\setup.exe + $(SIGCHECK) $(ROOT)\release\$Version\* > sig1 + $(VERIFY_SIGNATURES) < sig1 + -del sig1 + # Copy the unsigned setup.exe for use in bundling scenarios; zip it up for clarity $(WZZIP) $(ROOT)\release\$Version\setup-redist.zip $(ROOT)\bin\desktop\setup-redist.exe diff --git a/windows/src/desktop/insthelp/Makefile b/windows/src/desktop/insthelp/Makefile index b3d4dcdf070..b1ca957636e 100644 --- a/windows/src/desktop/insthelp/Makefile +++ b/windows/src/desktop/insthelp/Makefile @@ -11,9 +11,9 @@ build: version.res dirs $(COPY) $(WIN32_TARGET_PATH)\insthelp.exe $(ROOT)\bin\desktop\insthelp.exe test-manifest: - # test that (a) linked manifest exists and correct, and (b) has uiAccess=true +# test that (a) linked manifest exists and correct, and (b) has uiAccess=true @rem $(MT) -nologo -inputresource:$(PROGRAM)\desktop\insthelp.exe -validate_manifest - # TODO: Investigate why no manifest included? +# TODO: Investigate why no manifest included? clean: def-clean diff --git a/windows/src/desktop/kmconfig/Makefile b/windows/src/desktop/kmconfig/Makefile index d7f308f9d65..98028758335 100644 --- a/windows/src/desktop/kmconfig/Makefile +++ b/windows/src/desktop/kmconfig/Makefile @@ -21,7 +21,7 @@ wrap-symbols: $(SYMSTORE) $(DEBUGPATH)\desktop\kmconfig.dbg /t keyman-windows test-manifest: - # test that linked manifest exists and correct +# test that linked manifest exists and correct $(MT) -nologo -inputresource:$(PROGRAM)\desktop\kmconfig.exe -validate_manifest install: diff --git a/windows/src/desktop/kmshell/Makefile b/windows/src/desktop/kmshell/Makefile index caaa7da54e0..773942d0a1b 100644 --- a/windows/src/desktop/kmshell/Makefile +++ b/windows/src/desktop/kmshell/Makefile @@ -39,7 +39,7 @@ wrap-symbols: $(SYMSTORE) $(DEBUGPATH)\desktop\kmshell.dbg /t keyman-windows test-manifest: - # test that (a) linked manifest exists and correct, and (b) has uiAccess=true +# test that (a) linked manifest exists and correct, and (b) has uiAccess=true $(MT) -nologo -inputresource:$(PROGRAM)\desktop\kmshell.exe -validate_manifest install: .virtual diff --git a/windows/src/support/charident/Makefile b/windows/src/support/charident/Makefile index dd6721c5c0a..cff67416776 100644 --- a/windows/src/support/charident/Makefile +++ b/windows/src/support/charident/Makefile @@ -15,6 +15,6 @@ signcode: wrap-symbols: $(SYMSTORE) $(PROGRAM)\support\charident.exe /t keyman-windows - #TODO: $(SYMSTORE) $(DEBUGPATH)\support\charident.dbg /t keyman-windows +#TODO: $(SYMSTORE) $(DEBUGPATH)\support\charident.dbg /t keyman-windows !include ..\..\Target.mak diff --git a/windows/src/support/km_yim/Makefile b/windows/src/support/km_yim/Makefile index f0f93e6fe22..1aef5f80f02 100644 --- a/windows/src/support/km_yim/Makefile +++ b/windows/src/support/km_yim/Makefile @@ -4,12 +4,13 @@ !include ..\..\Defines.mak -build: # version.res +build: +# version.res $(DCC32) km_yim.dpr rem $(TDSPACK) $(PROGRAM)\desktop\km_yim.exe km_yim.tds rem $(TDS2DBG) $(PROGRAM)\desktop\km_yim.exe $(WZZIP) inst_km_yim.zip km_yim.exe - # $(WZSE) inst_km_yim -setup -t inst_km_yim.dialog.txt -st "Tavultesoft Keyman Desktop Yahoo Messenger Addin" -c km_yim.exe +# $(WZSE) inst_km_yim -setup -t inst_km_yim.dialog.txt -st "Tavultesoft Keyman Desktop Yahoo Messenger Addin" -c km_yim.exe clean: def-clean if exist inst_km_yim.zip del inst_km_yim.zip diff --git a/windows/src/test/Makefile b/windows/src/test/Makefile index 5df2892dfad..2087f3d8a00 100644 --- a/windows/src/test/Makefile +++ b/windows/src/test/Makefile @@ -4,12 +4,14 @@ # ---------------------------------------------------------------------- +# TODO: both test-manifest-exec and verify_signatures are really part of buildtools + !ifdef NODELPHI TARGETS=.virtual !else -TARGETS=test_i3633 +TARGETS=verify_signatures !endif -CLEAN=test_i3633 +CLEAN=verify_signatures test: test-manifest-exec $(MAKE) "TARGET=test" $(TARGETS) @@ -22,10 +24,10 @@ test-manifest-exec: $(MAKE) test-manifest cd test -# test_i3633: validate certificates and binary metadata on executables -# TODO: Move this to buildtools -test_i3633: - cd $(ROOT)\src\test\test_i3633 +# validate certificates and binary metadata on executables +# TODO: move to buildtools? +verify_signatures: .virtual + cd $(ROOT)\src\test\verify_signatures $(MAKE) $(TARGET) # ---------------------------------------------------------------------- diff --git a/windows/src/test/test_i3633/Makefile b/windows/src/test/test_i3633/Makefile deleted file mode 100644 index 575d77e7e83..00000000000 --- a/windows/src/test/test_i3633/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# test for signatures and version information being correct in ?install directory or ?bin directory -# - -!include ..\..\Defines.mak - -SIGCHECK=-$(WIN32_TARGET_PATH)\sigcheck -q -s -e -v -accepteula -VERIFY=$(WIN32_TARGET_PATH)\verify -d $(KEYMAN_ROOT)\VERSION.md - -test: test-bin - -test-bin: prereq - $(SIGCHECK) $(ROOT)\bin\desktop\* > sig1 - $(SIGCHECK) $(ROOT)\bin\developer\* >> sig1 - $(SIGCHECK) $(ROOT)\bin\engine\* >> sig1 - $(SIGCHECK) $(ROOT)\bin\inst\* >> sig1 - $(VERIFY) < sig1 - -test-install: prereq - - -prereq: - $(DELPHI_MSBUILD) verify.dproj "/p:Platform=Win32" - copy sigcheck.bin $(WIN32_TARGET_PATH)\sigcheck.exe - - -clean: def-clean - -del sig1 - -del sig2 - -!include ..\..\Target.mak diff --git a/windows/src/test/verify_signatures/Makefile b/windows/src/test/verify_signatures/Makefile new file mode 100644 index 00000000000..607e5d22cf9 --- /dev/null +++ b/windows/src/test/verify_signatures/Makefile @@ -0,0 +1,21 @@ +# +# test for signatures and version information being correct in bin folder +# + +!include ..\..\Defines.mak + +test: prereq + $(SIGCHECK) $(ROOT)\bin\desktop\* > sig1 + $(SIGCHECK) $(ROOT)\bin\engine\* >> sig1 + $(SIGCHECK) $(ROOT)\bin\inst\* >> sig1 + $(VERIFY_SIGNATURES) < sig1 + +# prereq may not be needed? +prereq: + cd $(VERIFY_SIGNATURES_PATH) + $(MAKE) + +clean: def-clean + -del sig1 + +!include ..\..\Target.mak