Diff:
---
.gitignore | 7 +++++
Makefile.am | 44 +++++++++++++++++++++++------
README | 24 +++++++++++++++-
packaging-scripts/fedora-prereqs-install.sh | 1 +
splash.cc | 2 +-
5 files changed, 67 insertions(+), 11 deletions(-)
diff --git a/.gitignore b/.gitignore
index fcbcf7b9..0a3bcfa1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ autoconf.h*
autom4te.cache
cfgaux
config.cache
+config.log
config.status
configure
configure.lineno
@@ -18,6 +19,7 @@ inilex.cc
iniparse.cc
iniparse.hh
setup_version.c
+wininet.def
tags
@@ -25,3 +27,8 @@ tags
*.swp
*.Po
*.Plo
+*.o
+*.a
+*.la
+*.lo
+*.exe
diff --git a/Makefile.am b/Makefile.am
index e051eb41..a5899f03 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -339,8 +339,8 @@ setup-src:
git ls-files | tar -T - -cJf ${CURDIR}/$$ver-src.tar.xz;\
echo $$ver-src.tar.xz; exec rm -f $$ver
-# optional: strip and compress executable
-.PHONY: strip upx release upload
+# optional: strip, compress and sign executable
+.PHONY: strip upx release sign upload
strip: all
@$(MKDIR_P) stripped
@@ -355,25 +355,51 @@ upx: strip
$(MKDIR_P) upx ;\
rm -f upx/setup$(EXEEXT) ;\
upx --best --lzma stripped/setup$(EXEEXT) -o upx/setup$(EXEEXT)
;\
+ cp -a stripped/setup${EXEEXT} upx/setup-uncompressed${EXEEXT} ;\
else \
echo "UPX doesn't seem to be installed, cannot compress
setup$(EXEEXT)." ;\
fi
-release: upx
+# PKCS#11 module for HSM containing signing key
+PKCSMODULE=/usr/lib64/libykcs11.so.2
+# PKCS#11 URI to locate signing key in HSM
+PKCS11_URI="pkcs11:id=%01;pin-value=123456"
+# our code-signing certificate and all intermediate and CA certificates
+CERT_SIGNING_CHAIN=code-signing-chain.pem
+# CA timestamp service
+CA_TIMESTAMP=http://timestamp.sectigo.com
+
+sign: upx
+ @if [ -e `which osslsigncode` ]; then \
+ $(MKDIR_P) signed ;\
+ for f in setup$(EXEEXT) setup-uncompressed${EXEEXT} ; do \
+ rm -f signed/$$f ;\
+ osslsigncode sign \
+ -pkcs11module $(PKCSMODULE) -key $(PKCS11_URI)
-nolegacy \
+ -certs $(CERT_SIGNING_CHAIN) \
+ -ts $(CA_TIMESTAMP) \
+ -n 'Cygwin Setup' -i https://cygwin.com/ \
+ -in upx/$$f -out signed/$$f ;\
+ done \
+ else \
+ echo "osslsigncode not found, cannot sign setup$(EXEEXT)." ;\
+ fi
+
+release: sign
@$(MKDIR_P) release
cp stripped/setup.dbg release/setup-${VER}.${ARCH}.dbg
- cp stripped/setup${EXEEXT}
release/setup-${VER}-uncompressed.${ARCH}${EXEEXT}
- cp upx/setup${EXEEXT} release/setup-${VER}.${ARCH}${EXEEXT}
+ cp signed//setup-uncompressed${EXEEXT}
release/setup-${VER}-uncompressed.${ARCH}${EXEEXT}
+ cp signed/setup${EXEEXT} release/setup-${VER}.${ARCH}${EXEEXT}
[email protected]
UPLOAD_PATH=/www/sourceware/htdocs/cygwin/setup
-SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u
1A698DE9E2E56300"
+GPG_SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u
1A698DE9E2E56300"
upload: release
cd release ; scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg
setup-${VER}-uncompressed.${ARCH}${EXEEXT} ${UPLOAD_HOST}:${UPLOAD_PATH}
- ssh ${UPLOAD_HOST} gpg --batch ${SIGN_KEYS} --detach-sign
${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
- ssh ${UPLOAD_HOST} gpg --batch ${SIGN_KEYS} --detach-sign
${UPLOAD_PATH}/setup-${VER}-uncompressed.$(ARCH).exe
+ ssh ${UPLOAD_HOST} gpg --batch ${GPG_SIGN_KEYS} --detach-sign
${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
+ ssh ${UPLOAD_HOST} gpg --batch ${GPG_SIGN_KEYS} --detach-sign
${UPLOAD_PATH}/setup-${VER}-uncompressed.$(ARCH).exe
ssh ${UPLOAD_HOST} "cd ${UPLOAD_PATH} && sha512sum *.exe > sha512.sum"
clean-local:
- rm -rf stripped upx release
+ rm -rf stripped upx sign release
diff --git a/README b/README
index 524c34de..1d21fa71 100644
--- a/README
+++ b/README
@@ -24,7 +24,7 @@ required packages and their dependencies installed:
- mingw64-${arch}-xz
- mingw64-${arch}-zlib
- mingw64-${arch}-zstd
- - upx (optional)
+ - upx (optional, for compressing)
The ${arch} needs to be replaced with either "i686" or "x86_64"
depending on the target architecture to build for.
@@ -49,6 +49,8 @@ required packages and their dependencies installed:
- mingw${arch}-xz-libs-static
- mingw${arch}-zlib-static
- mingw${arch}-zstd-static (**)
+ - openssl-pkcs11 (optional, for signing) (***)
+ - osslsigncode (optional, for signing)
- upx (optional)
The ${arch} needs to be replaced with either "32" or "64"
@@ -56,8 +58,10 @@ depending on the target architecture to build for.
(*) Requires 'dnf copr enable jturney/mingw-libsolv'
(**) Requires 'dnf copr enable jturney/mingw-zstd'
+(***) Plus the package containing the pkcs11 module for your HSM (e.g.
yubico-piv-tool for a YubiKey)
Build commands:
+---------------
0) Obtain this project's source code:
$ git clone git://sourceware.org/git/cygwin-apps/setup.git
@@ -83,6 +87,7 @@ Build commands:
CODING GUIDELINES:
------------------
+
setup has a number of different code formats in it. This is ok as long
as it stays readable. When submitting a patch, make sure that you use
the coding-style of the surrounding code.
@@ -94,6 +99,7 @@ as a guide.
SUBMITTING A PATCH:
-------------------
+
Follow the general directions given in the Cygwin contributions document:
https://cygwin.com/contrib.html
@@ -115,3 +121,19 @@ TRANSLATIONS
Translations of the gettext template res.pot can be made using PO file tools,
or
online at https://hosted.weblate.org/projects/cygwin-setup/cygwin-setup/
+
+
+To update the translations in the .res files from the .po files:
+
+ 1) 'pip3 install translate-toolkit'
+ 2) When adding a new language <LANG>:
+ - Add <LANG> to the LINGUAS variable in Makefile.am
+ - Add mapping from <LANG> to Windows LCID in langopts script
+ - Add inclusion of res/<LANG>/res.rc in top-level res.rc file
+ 3) 'make po2rc' to regenerate the res/<LANG>/res.rc files
+ 4) Build and run setup with --lang <LCID> to test translation
+ 5) Commit the updated res.rc files
+
+The res/en/res.rc file functions as a template, and po2rc replaces the
+translatable strings in it with those from a given po/<LANG>/res.po file to
+generate a res/<LANG>/res.rc file.
diff --git a/packaging-scripts/fedora-prereqs-install.sh
b/packaging-scripts/fedora-prereqs-install.sh
index 28a66dda..ff4697a0 100755
--- a/packaging-scripts/fedora-prereqs-install.sh
+++ b/packaging-scripts/fedora-prereqs-install.sh
@@ -3,6 +3,7 @@
sudo dnf -y install automake bison diffutils flex libtool make upx
sudo dnf -y install mingw32-gcc-c++ mingw32-zlib-static
mingw32-libgcrypt-static mingw32-bzip2-static mingw32-xz-libs-static
mingw32-winpthreads-static
sudo dnf -y install mingw64-gcc-c++ mingw64-zlib-static
mingw64-libgcrypt-static mingw64-bzip2-static mingw64-xz-libs-static
mingw64-winpthreads-static
+sudo dnf -y install openssl-pkcs11 osslsigncode
sudo dnf -y install 'dnf-command(copr)'
sudo dnf -y copr enable jturney/mingw-libsolv
sudo dnf -y install mingw32-libsolv-static mingw64-libsolv-static
diff --git a/splash.cc b/splash.cc
index 4c40f2aa..107d979f 100644
--- a/splash.cc
+++ b/splash.cc
@@ -21,7 +21,7 @@
#include "splash.h"
#define SPLASH_URL "https://cygwin.com";
-#define SPLASH_COPYRIGHT L"Copyright © 2000-2024"
+#define SPLASH_COPYRIGHT L"Copyright © 2000-2025"
#define SPLASH_TRANSLATE_URL "https://cygwin.com/setup/translate";
static ControlAdjuster::ControlInfo SplashControlsInfo[] = {
[setup - the official Cygwin setup program] branch master, updated. release_2.933
Jon Turney via Cygwin-apps-cvs Fri, 04 Apr 2025 08:31:50 -0700
