> > What if build_all.py did this:
>
> > - Check if SIGNTOOL is enabled in settings.in:
> > - Yes: fail if can't import "sign" module
> > - No: don't fail if can't import "sign" module
>
> > I think existence of the SIGNTOOL variable gives a good clue of user's
> > intentions. Note that the build will also fail if SIGNTOOL is defined
> > and signtool.exe is not copied to the correct place
> > (../signtool/signtool.exe).
>
>
> That's fine ... but what Peter raises as a concern, which I do agree to,
> is that if James' build system is changed and the driver is not signed,
> earlier this would cause to a halt in the building process. With your
> patch, OpenVPN + the driver will be built and not signed.
>
> So it's just to catch that "yes, we want to do a build without signing
> the driver" and to really sign-off that explicitly when doing the build.
> As James' should never do a release build without signing the driver.
Peter: settings.in is stored in git.
I agree that there should be no way one could make an unsigned build by
mistake. I think dazo's suggestion about having a command-line switch
("force unsigned build") is a good one. The SIGNTOOL variable could then
be used to just locate signtool.exe and nothing else. This would make it
behave the same way as most other variables in "settings.in" and allow
making signed and unsigned builds using the same configuration file.
Samuli
