Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
> Samuli Seppänen wrote: > >> here's the next version of the patch; >> > > Functionally fine! > > > >> def main(config): >> + >> +# Do a signed build by default >> +unsignedBuild=False >> > > Maybe name the option signedBuild instead? :) > > > >> +# Check if the SignTool module is present. This avoids ImportErrors >> popping >> +# up annoyingly _after_ the build. >> +if unsignedBuild == False: >> + try: >> + from signtool import SignTool >> + except (ImportError): >> + print "ERROR: SignTool python module not found! Can't do a signed >> build." >> + sys.exit(1) >> + >> +if unsignedBuild == True: >> + print "Doing an unsigned build as requested" >> > > I guess the pythonic way would be simply: > > if signedBuild: > try import.. > else: > print as requested.. > > > >> -sign(config, 'all') >> + >> +if unsignedBuild == False: >> + sign(config, 'all') >> + >> > > signedBuild would be nicer, then simply: > > if signedBuild: > sign() > > > //Peter > All fixes applied in this patch. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock From 804aa21a12f74de4142305ed415b33a43e5fc276 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?=Date: Thu, 18 Nov 2010 18:00:54 +0200 Subject: [PATCH] Added command-line option parser and an unsigned build option to build_all.py Modified win/build_all.py so that it parses command-line options using getopt. Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h / --help" option. By default a signed build is generated, provided that the Python SignTool module is installed. If not, the build is interrupted. --- win/build_all.py | 45 +++-- 1 files changed, 43 insertions(+), 2 deletions(-) diff --git a/win/build_all.py b/win/build_all.py index 92d2bf4..5637b55 100644 --- a/win/build_all.py +++ b/win/build_all.py @@ -1,15 +1,56 @@ +import getopt, sys from config_all import main as config_all from build import main as build_openvpn from build_ddk import main as build_ddk -from sign import main as sign from make_dist import main as make_dist +def Usage(): +'''Show usage information''' +print "Usage: build_all.py [OPTIONS]..." +print "Build OpenVPN using Visual Studio tools" +print +print " -h, --help Show this help" +print " -u, --unsigned Do not sign the TAP drivers" +sys.exit(1) + def main(config): + +# Do a signed build by default +signedBuild=True + +# Parse the command line argument(s) +try: + opts, args = getopt.getopt(sys.argv[1:], "hu", ["help", "unsigned"]) +except getopt.GetoptError: + Usage() + +for o, a in opts: + if o in ("-h","--help"): + Usage() + if o in ("-u", "--unsigned"): + signedBuild=False + + +# Check if the SignTool module is present. This avoids ImportErrors popping +# up annoyingly _after_ the build. +if signedBuild: + try: + from signtool import SignTool + except (ImportError): + print "ERROR: SignTool python module not found! Can't do a signed build." + sys.exit(1) +else: + print "Doing an unsigned build as requested" + +# Start the build config_all(config) build_openvpn() build_ddk(config, 'tap', 'all') build_ddk(config, 'tapinstall', 'all') -sign(config, 'all') + +if signedBuild: + sign(config, 'all') + make_dist(config) # if we are run directly, and not loaded as a module -- 1.6.3.3
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Hi Peter, Fair points. Me fix and resend. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock > Samuli Seppänen wrote: > >> here's the next version of the patch; >> > > Functionally fine! > > > >> def main(config): >> + >> +# Do a signed build by default >> +unsignedBuild=False >> > > Maybe name the option signedBuild instead? :) > > > >> +# Check if the SignTool module is present. This avoids ImportErrors >> popping >> +# up annoyingly _after_ the build. >> +if unsignedBuild == False: >> + try: >> + from signtool import SignTool >> + except (ImportError): >> + print "ERROR: SignTool python module not found! Can't do a signed >> build." >> + sys.exit(1) >> + >> +if unsignedBuild == True: >> + print "Doing an unsigned build as requested" >> > > I guess the pythonic way would be simply: > > if signedBuild: > try import.. > else: > print as requested.. > > > >> -sign(config, 'all') >> + >> +if unsignedBuild == False: >> + sign(config, 'all') >> + >> > > signedBuild would be nicer, then simply: > > if signedBuild: > sign() > > > //Peter > > -- > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Samuli Seppänen wrote: > here's the next version of the patch; Functionally fine! > def main(config): > + > +# Do a signed build by default > +unsignedBuild=False Maybe name the option signedBuild instead? :) > +# Check if the SignTool module is present. This avoids ImportErrors > popping > +# up annoyingly _after_ the build. > +if unsignedBuild == False: > + try: > + from signtool import SignTool > + except (ImportError): > + print "ERROR: SignTool python module not found! Can't do a signed > build." > + sys.exit(1) > + > +if unsignedBuild == True: > + print "Doing an unsigned build as requested" I guess the pythonic way would be simply: if signedBuild: try import.. else: print as requested.. > -sign(config, 'all') > + > +if unsignedBuild == False: > + sign(config, 'all') > + signedBuild would be nicer, then simply: if signedBuild: sign() //Peter
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
>> I agree that there should be no way one could make an unsigned build by >> mistake. I think dazo's suggestion about having a command-line switch >> ("force unsigned build") is a good one. The SIGNTOOL variable could then >> be used to just locate signtool.exe and nothing else. This would make it >> behave the same way as most other variables in "settings.in" and allow >> making signed and unsigned builds using the same configuration file. >> > > Acked-by: Peter Stuge> Ok, here's the next version of the patch; see commit message for details. Applies on top of original code, not my earlier patches. Tested on WinXP and everything seems to work ok. No changes to files using the SIGNTOOL variable from "settings.in" were necessary at this point., although "win/tap_span.py" may need fixing later. -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock From a4ca1e8d783364cd58ff370b21708ccd3d687efa Mon Sep 17 00:00:00 2001 From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= Date: Tue, 16 Nov 2010 17:28:54 +0200 Subject: [PATCH] Added command-line option parser and an unsigned build option to build_all.py Modified win/build_all.py so that it parses command-line options using getopt. Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h / --help" option. By default a signed build is generated, provided that the Python SignTool module is installed. If not, the build is interrupted. --- win/build_all.py | 48 ++-- 1 files changed, 46 insertions(+), 2 deletions(-) diff --git a/win/build_all.py b/win/build_all.py index 92d2bf4..6d1d956 100644 --- a/win/build_all.py +++ b/win/build_all.py @@ -1,15 +1,59 @@ +import getopt, sys from config_all import main as config_all from build import main as build_openvpn from build_ddk import main as build_ddk -from sign import main as sign from make_dist import main as make_dist +def Usage(): +'''Show usage information''' +print "Usage: build_all.py [OPTIONS]..." +print "Build OpenVPN using Visual Studio tools" +print +print " -h, --help Show this help" +print " -u, --unsigned Do not sign the TAP drivers" +sys.exit(1) + def main(config): + +# Do a signed build by default +unsignedBuild=False + +# Parse the command line argument(s) +try: + # Arguments that are followed by a : require a value from user + opts, args = getopt.getopt(sys.argv[1:], "hu", ["help", "unsigned"]) +except getopt.GetoptError: + Usage() + sys.exit(1) + +for o, a in opts: + if o in ("-h","--help"): + Usage() + if o in ("-u", "--unsigned"): + unsignedBuild=True + + +# Check if the SignTool module is present. This avoids ImportErrors popping +# up annoyingly _after_ the build. +if unsignedBuild == False: + try: + from signtool import SignTool + except (ImportError): + print "ERROR: SignTool python module not found! Can't do a signed build." + sys.exit(1) + +if unsignedBuild == True: + print "Doing an unsigned build as requested" + +# Start the build config_all(config) build_openvpn() build_ddk(config, 'tap', 'all') build_ddk(config, 'tapinstall', 'all') -sign(config, 'all') + +if unsignedBuild == False: + sign(config, 'all') + make_dist(config) # if we are run directly, and not loaded as a module -- 1.6.3.3
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Hello, This again, raises the modulation of openvpn project. *NOBODY* wants/needs to modify the driver, most people lacks the skills and interest. Usually people wants to patch openvpn userspace components. The driver should come in its own .msi signed (msi + driver). OpenVPN installation should embed the driver msi within it. For signing OpenVPN, this should be optional, as Windows does not force it. I use osslsigncode[1] with patches[2][3] to allow signing using a cross compiler. Alon. [1] http://sourceforge.net/projects/osslsigncode/ [2] http://sourceforge.net/tracker/?func=detail=3018894_id=129143=713908 [3] http://sourceforge.net/tracker/?func=detail=3018895_id=129143=713908 On Fri, Nov 12, 2010 at 10:18 PM, Gert Doeringwrote: > > Hi, > > On Fri, Nov 12, 2010 at 05:50:19PM +0100, David Sommerseth wrote: > > If I've understood it correctly, this is related to signing the Windows > > TUN/TAP driver. So if you don't have a signing key/tool available, it > > is still possible to build the rest of OpenVPN. You might even manage > > to install the unsigned TUN/TAP driver with some tweaking. > > Isn't the openvpn.exe signed as well? > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de > > -- > Centralized Desktop Delivery: Dell and VMware Reference Architecture > Simplifying enterprise desktop deployment and management using > Dell EqualLogic storage and VMware View: A highly scalable, end-to-end > client virtualization framework. Read more! > http://p.sf.net/sfu/dell-eql-dev2dev > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Hi, On Fri, Nov 12, 2010 at 05:50:19PM +0100, David Sommerseth wrote: > If I've understood it correctly, this is related to signing the Windows > TUN/TAP driver. So if you don't have a signing key/tool available, it > is still possible to build the rest of OpenVPN. You might even manage > to install the unsigned TUN/TAP driver with some tweaking. Isn't the openvpn.exe signed as well? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp6fWFafi2D7.pgp Description: PGP signature
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Samuli Seppänen wrote: > Peter: settings.in is stored in git. Ok. > I agree that there should be no way one could make an unsigned build by > mistake. I think dazo's suggestion about having a command-line switch > ("force unsigned build") is a good one. The SIGNTOOL variable could then > be used to just locate signtool.exe and nothing else. This would make it > behave the same way as most other variables in "settings.in" and allow > making signed and unsigned builds using the same configuration file. Acked-by: Peter Stuge
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
> > What if build_all.py did this: > > > - Check if SIGNTOOL is enabled in settings.in: > > - Yes: fail if can't import "sign" module > > - No: don't fail if can't import "sign" module > > > I think existence of the SIGNTOOL variable gives a good clue of user's > > intentions. Note that the build will also fail if SIGNTOOL is defined > > and signtool.exe is not copied to the correct place > > (../signtool/signtool.exe). > > > That's fine ... but what Peter raises as a concern, which I do agree to, > is that if James' build system is changed and the driver is not signed, > earlier this would cause to a halt in the building process. With your > patch, OpenVPN + the driver will be built and not signed. > > So it's just to catch that "yes, we want to do a build without signing > the driver" and to really sign-off that explicitly when doing the build. > As James' should never do a release build without signing the driver. Peter: settings.in is stored in git. I agree that there should be no way one could make an unsigned build by mistake. I think dazo's suggestion about having a command-line switch ("force unsigned build") is a good one. The SIGNTOOL variable could then be used to just locate signtool.exe and nothing else. This would make it behave the same way as most other variables in "settings.in" and allow making signed and unsigned builds using the same configuration file. Samuli
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/10 18:11, Samuli Seppänen wrote: > >> On 12/11/10 17:55, Peter Stuge wrote: >>> David Sommerseth wrote: >> Modified win/build_all.py so that build does not fail even if >> the optional signtool python class is not available. > What is it needed for? Is it really *always* optional? If I've understood it correctly, this is related to signing the Windows TUN/TAP driver. >>> Right. >> >> So if you don't have a signing key/tool available, it is still possible to build the rest of OpenVPN. >>> Fine, but this is not really acceptable when James builds OpenVPN, >>> so I am requesting a solution that allows them to specify to the >>> build process that they want a fatal error if signing is not >>> possible. >> >> That's a good point! I didn't think about this one. >> >> What about that the build script stops up and asks if it should continue >> without signing? And in addition having a command line argument >> accepting building without signing? This latter one is more useful for >> automated community builds of the allmerged branch from >> openvpn-testing.git. >> >> >> kind regards, >> >> David Sommerseth > What if build_all.py did this: > > - Check if SIGNTOOL is enabled in settings.in: > - Yes: fail if can't import "sign" module > - No: don't fail if can't import "sign" module > > I think existence of the SIGNTOOL variable gives a good clue of user's > intentions. Note that the build will also fail if SIGNTOOL is defined > and signtool.exe is not copied to the correct place > (../signtool/signtool.exe). > That's fine ... but what Peter raises as a concern, which I do agree to, is that if James' build system is changed and the driver is not signed, earlier this would cause to a halt in the building process. With your patch, OpenVPN + the driver will be built and not signed. So it's just to catch that "yes, we want to do a build without signing the driver" and to really sign-off that explicitly when doing the build. As James' should never do a release build without signing the driver. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdd7gACgkQDC186MBRfrpmGwCfXbMtUuoDmuWXTn5wOeAYy9s9 +BAAoKqWatGOoLIonfuV30UrRCczrKQn =bSuy -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Samuli Seppänen wrote: > What if build_all.py did this: > > - Check if SIGNTOOL is enabled in settings.in: > - Yes: fail if can't import "sign" module > - No: don't fail if can't import "sign" module This also sounds good. (Who typically creates settings.in? Is one in git?) //Peter
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/10 17:55, Peter Stuge wrote: > David Sommerseth wrote: Modified win/build_all.py so that build does not fail even if the optional signtool python class is not available. >>> >>> What is it needed for? Is it really *always* optional? >> >> If I've understood it correctly, this is related to signing the Windows >> TUN/TAP driver. > > Right. > > >> So if you don't have a signing key/tool available, it is still >> possible to build the rest of OpenVPN. > > Fine, but this is not really acceptable when James builds OpenVPN, > so I am requesting a solution that allows them to specify to the > build process that they want a fatal error if signing is not > possible. That's a good point! I didn't think about this one. What about that the build script stops up and asks if it should continue without signing? And in addition having a command line argument accepting building without signing? This latter one is more useful for automated community builds of the allmerged branch from openvpn-testing.git. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdcwUACgkQDC186MBRfroz3QCfaejhSR92xYXy6RLHbapbV4Pt wkYAnR5xpl5fSsIZjTLHF1ZKJHkXnDmS =WOYo -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
David Sommerseth wrote: > >> Modified win/build_all.py so that build does not fail even if > >> the optional signtool python class is not available. > > > > What is it needed for? Is it really *always* optional? > > If I've understood it correctly, this is related to signing the Windows > TUN/TAP driver. Right. > So if you don't have a signing key/tool available, it is still > possible to build the rest of OpenVPN. Fine, but this is not really acceptable when James builds OpenVPN, so I am requesting a solution that allows them to specify to the build process that they want a fatal error if signing is not possible. //Peter
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
> Samuli Seppänen wrote: > >> From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001 >> From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?=>> Date: Fri, 12 Nov 2010 17:32:19 +0200 >> Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py >> >> Modified win/build_all.py so that build does not fail even if the optional >> signtool python class is not available. >> > > What is it needed for? Is it really *always* optional? Maybe some > setting or parameter to the script so that build can fail e.g. at > openvpn.net if building, where signing should always be done? > > > //Peter > As far as I know driver signing is supposed to be optional. From "win/settings.in": # Code Signing. # If undefined, don't sign any files. !define SIGNTOOL"../signtool" !define PRODUCT_SIGN_CN "openvpn" This "settings.in" contains many other variables used by the Python-based build system. Looking at the comments one would think that simply disabling the the SIGNTOOL variable would allow non-signed builds. This is not the case, hence the patch. I'm as open as it gets to suggestions how to make the patch better, though :). -- Samuli Seppänen Community Manager OpenVPN Technologies, Inc irc freenode net: mattock
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/11/10 17:36, Peter Stuge wrote: > Samuli Seppänen wrote: >> From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001 >> From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?=>> Date: Fri, 12 Nov 2010 17:32:19 +0200 >> Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py >> >> Modified win/build_all.py so that build does not fail even if the optional >> signtool python class is not available. > > What is it needed for? Is it really *always* optional? Maybe some > setting or parameter to the script so that build can fail e.g. at > openvpn.net if building, where signing should always be done? If I've understood it correctly, this is related to signing the Windows TUN/TAP driver. So if you don't have a signing key/tool available, it is still possible to build the rest of OpenVPN. You might even manage to install the unsigned TUN/TAP driver with some tweaking. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzdcEoACgkQDC186MBRfroGqwCfRZoxPtTfp08Qvs+Uvi3KzjBj Ts0AnAp3EVN3Ht2u6I6fFQ1QdQ4D+JAD =yh6e -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
Samuli Seppänen wrote: > From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001 > From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?=> Date: Fri, 12 Nov 2010 17:32:19 +0200 > Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py > > Modified win/build_all.py so that build does not fail even if the optional > signtool python class is not available. What is it needed for? Is it really *always* optional? Maybe some setting or parameter to the script so that build can fail e.g. at openvpn.net if building, where signing should always be done? //Peter
[Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py
From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001 From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?=Date: Fri, 12 Nov 2010 17:32:19 +0200 Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py Modified win/build_all.py so that build does not fail even if the optional signtool python class is not available. --- win/build_all.py | 10 -- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/win/build_all.py b/win/build_all.py index 92d2bf4..38c1645 100644 --- a/win/build_all.py +++ b/win/build_all.py @@ -1,7 +1,6 @@ from config_all import main as config_all from build import main as build_openvpn from build_ddk import main as build_ddk -from sign import main as sign from make_dist import main as make_dist def main(config): @@ -9,7 +8,14 @@ def main(config): build_openvpn() build_ddk(config, 'tap', 'all') build_ddk(config, 'tapinstall', 'all') -sign(config, 'all') + +# Sign the drivers only if "sign" module is available +try: + from sign import main as sign + sign(config, 'all') +except (ImportError): + pass + make_dist(config) # if we are run directly, and not loaded as a module -- 1.6.3.3