Sign IDF Tools installer with 'osslsigncode', update to V1.2

Uninstaller is still unsigned, as currently building and signing in 'wine' and running Linux osslsigncode inside Inno Setup inside wine is awkward. Closes https://github.com/espressif/esp-idf/issues/1909 TW20810
2018-10-01 16:22:07 +10:00 · 2018-10-01 16:22:07 +10:00 · da0f9717be
parent efd62a50b9
commit da0f9717be
4 changed files with 53 additions and 19 deletions
--- a/.gitignore
+++ b/.gitignore
@ -61,6 +61,7 @@ coverage_report/
 tools/windows/tool_setup/.*
 tools/windows/tool_setup/input
 tools/windows/tool_setup/dl
+tools/windows/tool_setup/keys
 tools/windows/tool_setup/Output

 test_multi_heap_host
--- a/docs/en/get-started-cmake/windows-setup.rst
+++ b/docs/en/get-started-cmake/windows-setup.rst
@ -22,7 +22,7 @@ ESP-IDF Tools Installer

 The easiest way to install ESP-IDF's prerequisites is to download the ESP-IDF Tools installer from this URL:

-https://dl.espressif.com/dl/esp-idf-tools-setup-1.1.exe
+https://dl.espressif.com/dl/esp-idf-tools-setup-1.2.exe

 The installer will automatically install the ESP32 Xtensa gcc toolchain, Ninja_ build tool, and a configuration tool called mconf-idf_. The installer can also download and run installers for CMake_ and Python_ 2.7 if these are not already installed on the computer.

--- a/tools/windows/tool_setup/build_installer.sh
+++ b/tools/windows/tool_setup/build_installer.sh
@ -10,25 +10,58 @@
 # - Runs ISCC under wine to compile the installer itself
 set -e

-mkdir -p dl input
+if [ -z "${KEYPASSWORD}" ]; then
+    echo "KEYPASSWORD should be set"
+    exit 1
+fi

-cd `dirname $0`
-pushd dl
-wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
-wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
-wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
-wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
-wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
-popd
+if [ "$1" != "--no-download" ]; then

-rm -rf input/*
-pushd input
-unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
-unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
-unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
-unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
-unzip ../dl/ninja-win.zip
-popd
+    mkdir -p dl input
+
+    cd `dirname $0`
+    pushd dl
+    wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
+    wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
+    wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
+    wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
+    wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
+    popd
+
+    rm -rf input/*
+    pushd input
+    unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
+    unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
+    unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
+    unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
+    unzip ../dl/ninja-win.zip
+    popd
+fi

 wine "C:\Program Files\Inno Setup 5\ISCC.exe" "`winepath -w ./idf_tool_setup.iss`"

+# sign the installer with osslsigncode, parsing the version number out of the
+# installer config
+
+VERSION=`grep "^AppVersion=" idf_tool_setup.iss | cut -d'=' -f2`
+
+echo "Signing installer..."
+
+# Note: The cert chain passed to -certs needs to contain the intermediate
+# cert(s) as well, appended after the code signing cert, or Windows may see
+# it as "Unknown Publisher"
+#
+# See https://stackoverflow.com/a/52637050 for full details
+#
+umask 770  # for the process substitution FIFO
+
+osslsigncode -certs ./keys/certchain.pem -key ./keys/key.pem \
+             -readpass <(echo "$KEYPASSWORD") \
+             -in Output/esp-idf-tools-setup-unsigned.exe \
+             -out Output/esp-idf-tools-setup-${VERSION}.exe \
+             -h sha256 \
+             -n "Espressif Systems (Shanghai) Pte. Ltd." \
+             -i "https://www.espressif.com/" \
+             -ts http://timestamp.digicert.com
+
+chmod 644 Output/esp-idf-tools-setup-${VERSION}.exe  # make up for the umask
--- a/tools/windows/tool_setup/idf_tool_setup.iss
+++ b/tools/windows/tool_setup/idf_tool_setup.iss
@ -2,8 +2,8 @@

 [Setup]
 AppName=ESP-IDF Tools
-OutputBaseFilename=esp-idf-tools-setup-1.1
 AppVersion=1.2
+OutputBaseFilename=esp-idf-tools-setup-unsigned

 DefaultDirName={pf}\Espressif\ESP-IDF Tools
 DefaultGroupName=ESP-IDF Tools