Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

> Samuli Seppänen wrote:
>   
>> here's the next version of the patch;
>> 
>
> Functionally fine!
>
>
>   
>>  def main(config):
>> +
>> +# Do a signed build by default
>> +unsignedBuild=False
>> 
>
> Maybe name the option signedBuild instead? :)
>
>
>   
>> +# Check if the SignTool module is present. This avoids ImportErrors 
>> popping 
>> +# up annoyingly _after_ the build.
>> +if unsignedBuild == False:
>> +   try:
>> +  from signtool import SignTool
>> +   except (ImportError):
>> +  print "ERROR: SignTool python module not found! Can't do a signed 
>> build."
>> +  sys.exit(1)
>> +
>> +if unsignedBuild == True:
>> +   print "Doing an unsigned build as requested"
>> 
>
> I guess the pythonic way would be simply:
>
> if signedBuild:
>   try import..
> else:
>   print as requested..
>
>
>   
>> -sign(config, 'all')
>> +
>> +if unsignedBuild == False:
>> +   sign(config, 'all')
>> +
>> 
>
> signedBuild would be nicer, then simply:
>
> if signedBuild:
>   sign()
>
>
> //Peter
>   

All fixes applied in this patch.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

From 804aa21a12f74de4142305ed415b33a43e5fc276 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
Date: Thu, 18 Nov 2010 18:00:54 +0200
Subject: [PATCH] Added command-line option parser and an unsigned build option to build_all.py

Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
---
 win/build_all.py |   45 +++--
 1 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/win/build_all.py b/win/build_all.py
index 92d2bf4..5637b55 100644
--- a/win/build_all.py
+++ b/win/build_all.py
@@ -1,15 +1,56 @@
+import getopt, sys
 from config_all import main as config_all
 from build import main as build_openvpn
 from build_ddk import main as build_ddk
-from sign import main as sign
 from make_dist import main as make_dist
 
+def Usage():
+'''Show usage information'''
+print "Usage: build_all.py [OPTIONS]..."
+print "Build OpenVPN using Visual Studio tools"
+print
+print " -h, --help		Show this help"
+print " -u, --unsigned	Do not sign the TAP drivers"
+sys.exit(1)
+
 def main(config):
+
+# Do a signed build by default
+signedBuild=True
+
+# Parse the command line argument(s)
+try:
+   opts, args = getopt.getopt(sys.argv[1:], "hu", ["help", "unsigned"])
+except getopt.GetoptError:
+   Usage()
+
+for o, a in opts:
+   if o in ("-h","--help"):
+  Usage()
+   if o in ("-u", "--unsigned"):
+  signedBuild=False
+
+
+# Check if the SignTool module is present. This avoids ImportErrors popping 
+# up annoyingly _after_ the build.
+if signedBuild:
+   try:
+  from signtool import SignTool
+   except (ImportError):
+  print "ERROR: SignTool python module not found! Can't do a signed build."
+  sys.exit(1)
+else:
+   print "Doing an unsigned build as requested"
+
+# Start the build
 config_all(config)
 build_openvpn()
 build_ddk(config, 'tap', 'all')
 build_ddk(config, 'tapinstall', 'all')
-sign(config, 'all')
+
+if signedBuild:
+   sign(config, 'all')
+
 make_dist(config)
 
 # if we are run directly, and not loaded as a module
-- 
1.6.3.3

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

Hi Peter,

Fair points. Me fix and resend.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



> Samuli Seppänen wrote:
>   
>> here's the next version of the patch;
>> 
>
> Functionally fine!
>
>
>   
>>  def main(config):
>> +
>> +# Do a signed build by default
>> +unsignedBuild=False
>> 
>
> Maybe name the option signedBuild instead? :)
>
>
>   
>> +# Check if the SignTool module is present. This avoids ImportErrors 
>> popping 
>> +# up annoyingly _after_ the build.
>> +if unsignedBuild == False:
>> +   try:
>> +  from signtool import SignTool
>> +   except (ImportError):
>> +  print "ERROR: SignTool python module not found! Can't do a signed 
>> build."
>> +  sys.exit(1)
>> +
>> +if unsignedBuild == True:
>> +   print "Doing an unsigned build as requested"
>> 
>
> I guess the pythonic way would be simply:
>
> if signedBuild:
>   try import..
> else:
>   print as requested..
>
>
>   
>> -sign(config, 'all')
>> +
>> +if unsignedBuild == False:
>> +   sign(config, 'all')
>> +
>> 
>
> signedBuild would be nicer, then simply:
>
> if signedBuild:
>   sign()
>
>
> //Peter
>
> --
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>   

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Peter Stuge]

Samuli Seppänen wrote:
> here's the next version of the patch;

Functionally fine!


>  def main(config):
> +
> +# Do a signed build by default
> +unsignedBuild=False

Maybe name the option signedBuild instead? :)


> +# Check if the SignTool module is present. This avoids ImportErrors 
> popping 
> +# up annoyingly _after_ the build.
> +if unsignedBuild == False:
> +   try:
> +  from signtool import SignTool
> +   except (ImportError):
> +  print "ERROR: SignTool python module not found! Can't do a signed 
> build."
> +  sys.exit(1)
> +
> +if unsignedBuild == True:
> +   print "Doing an unsigned build as requested"

I guess the pythonic way would be simply:

if signedBuild:
  try import..
else:
  print as requested..


> -sign(config, 'all')
> +
> +if unsignedBuild == False:
> +   sign(config, 'all')
> +

signedBuild would be nicer, then simply:

if signedBuild:
  sign()


//Peter

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

>> I agree that there should be no way one could make an unsigned build by
>> mistake. I think dazo's suggestion about having a command-line switch
>> ("force unsigned build") is a good one. The SIGNTOOL variable could then
>> be used to just locate signtool.exe and nothing else. This would make it
>> behave the same way as most other variables in "settings.in" and allow
>> making signed and unsigned builds using the same configuration file.
>> 
>
> Acked-by: Peter Stuge 
>   
Ok, here's the next version of the patch; see commit message for
details. Applies on top of original code, not my earlier patches. Tested
on WinXP and everything seems to work ok. No changes to files using the
SIGNTOOL variable from "settings.in" were necessary at this point.,
although "win/tap_span.py" may need fixing later.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

From a4ca1e8d783364cd58ff370b21708ccd3d687efa Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
Date: Tue, 16 Nov 2010 17:28:54 +0200
Subject: [PATCH] Added command-line option parser and an unsigned build option to build_all.py

Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
---
 win/build_all.py |   48 ++--
 1 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/win/build_all.py b/win/build_all.py
index 92d2bf4..6d1d956 100644
--- a/win/build_all.py
+++ b/win/build_all.py
@@ -1,15 +1,59 @@
+import getopt, sys
 from config_all import main as config_all
 from build import main as build_openvpn
 from build_ddk import main as build_ddk
-from sign import main as sign
 from make_dist import main as make_dist
 
+def Usage():
+'''Show usage information'''
+print "Usage: build_all.py [OPTIONS]..."
+print "Build OpenVPN using Visual Studio tools"
+print
+print " -h, --help		Show this help"
+print " -u, --unsigned	Do not sign the TAP drivers"
+sys.exit(1)
+
 def main(config):
+
+# Do a signed build by default
+unsignedBuild=False
+
+# Parse the command line argument(s)
+try:
+   # Arguments that are followed by a : require a value from user
+   opts, args = getopt.getopt(sys.argv[1:], "hu", ["help", "unsigned"])
+except getopt.GetoptError:
+   Usage()
+   sys.exit(1)
+
+for o, a in opts:
+   if o in ("-h","--help"):
+  Usage()
+   if o in ("-u", "--unsigned"):
+  unsignedBuild=True
+
+
+# Check if the SignTool module is present. This avoids ImportErrors popping 
+# up annoyingly _after_ the build.
+if unsignedBuild == False:
+   try:
+  from signtool import SignTool
+   except (ImportError):
+  print "ERROR: SignTool python module not found! Can't do a signed build."
+  sys.exit(1)
+
+if unsignedBuild == True:
+   print "Doing an unsigned build as requested"
+
+# Start the build
 config_all(config)
 build_openvpn()
 build_ddk(config, 'tap', 'all')
 build_ddk(config, 'tapinstall', 'all')
-sign(config, 'all')
+
+if unsignedBuild == False:
+   sign(config, 'all')
+
 make_dist(config)
 
 # if we are run directly, and not loaded as a module
-- 
1.6.3.3

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Alon Bar-Lev]

Hello,

This again, raises the modulation of openvpn project.
*NOBODY* wants/needs to modify the driver, most people lacks the
skills and interest. Usually people wants to patch openvpn userspace
components.

The driver should come in its own .msi signed (msi + driver).

OpenVPN installation should embed the driver msi within it.

For signing OpenVPN, this should be optional, as Windows does not force it.

I use osslsigncode[1] with patches[2][3] to allow signing using a
cross compiler.

Alon.

[1] http://sourceforge.net/projects/osslsigncode/
[2] 
http://sourceforge.net/tracker/?func=detail=3018894_id=129143=713908
[3] 
http://sourceforge.net/tracker/?func=detail=3018895_id=129143=713908


On Fri, Nov 12, 2010 at 10:18 PM, Gert Doering  wrote:
>
> Hi,
>
> On Fri, Nov 12, 2010 at 05:50:19PM +0100, David Sommerseth wrote:
> > If I've understood it correctly, this is related to signing the Windows
> > TUN/TAP driver.  So if you don't have a signing key/tool available, it
> > is still possible to build the rest of OpenVPN.  You might even manage
> > to install the unsigned TUN/TAP driver with some tweaking.
>
> Isn't the openvpn.exe signed as well?
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             g...@greenie.muc.de
> fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de
>
> --
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Gert Doering]

Hi,

On Fri, Nov 12, 2010 at 05:50:19PM +0100, David Sommerseth wrote:
> If I've understood it correctly, this is related to signing the Windows
> TUN/TAP driver.  So if you don't have a signing key/tool available, it
> is still possible to build the rest of OpenVPN.  You might even manage
> to install the unsigned TUN/TAP driver with some tweaking.

Isn't the openvpn.exe signed as well?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgp6fWFafi2D7.pgp
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Peter Stuge]

Samuli Seppänen wrote:
> Peter: settings.in is stored in git.

Ok.


> I agree that there should be no way one could make an unsigned build by
> mistake. I think dazo's suggestion about having a command-line switch
> ("force unsigned build") is a good one. The SIGNTOOL variable could then
> be used to just locate signtool.exe and nothing else. This would make it
> behave the same way as most other variables in "settings.in" and allow
> making signed and unsigned builds using the same configuration file.

Acked-by: Peter Stuge 

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

> > What if build_all.py did this:
>
> > - Check if SIGNTOOL is enabled in settings.in:
> >   - Yes: fail if can't import "sign" module
> >   - No: don't fail if can't import "sign" module
>
> > I think existence of the SIGNTOOL variable gives a good clue of user's
> > intentions. Note that the build will also fail if SIGNTOOL is defined
> > and signtool.exe is not copied to the correct place
> > (../signtool/signtool.exe).
>
>
> That's fine ... but what Peter raises as a concern, which I do agree to,
> is that if James' build system is changed and the driver is not signed,
> earlier this would cause to a halt in the building process.  With your
> patch, OpenVPN + the driver will be built and not signed.
>
> So it's just to catch that "yes, we want to do a build without signing
> the driver" and to really sign-off that explicitly when doing the build.
>  As James' should never do a release build without signing the driver.
Peter: settings.in is stored in git.

I agree that there should be no way one could make an unsigned build by
mistake. I think dazo's suggestion about having a command-line switch
("force unsigned build") is a good one. The SIGNTOOL variable could then
be used to just locate signtool.exe and nothing else. This would make it
behave the same way as most other variables in "settings.in" and allow
making signed and unsigned builds using the same configuration file.

Samuli

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/11/10 18:11, Samuli Seppänen wrote:
> 
>> On 12/11/10 17:55, Peter Stuge wrote:
>>> David Sommerseth wrote:
>> Modified win/build_all.py so that build does not fail even if
>> the optional signtool python class is not available.
> What is it needed for? Is it really *always* optional?
 If I've understood it correctly, this is related to signing the Windows
 TUN/TAP driver.
>>> Right.
>>
>>
 So if you don't have a signing key/tool available, it is still
 possible to build the rest of OpenVPN.
>>> Fine, but this is not really acceptable when James builds OpenVPN,
>>> so I am requesting a solution that allows them to specify to the
>>> build process that they want a fatal error if signing is not
>>> possible.
>>
>> That's a good point!  I didn't think about this one.
>>
>> What about that the build script stops up and asks if it should continue
>> without signing?  And in addition having a command line argument
>> accepting building without signing?  This latter one is more useful for
>> automated community builds of the allmerged branch from
>> openvpn-testing.git.
>>
>>
>> kind regards,
>>
>> David Sommerseth
> What if build_all.py did this:
> 
> - Check if SIGNTOOL is enabled in settings.in:
>   - Yes: fail if can't import "sign" module
>   - No: don't fail if can't import "sign" module
> 
> I think existence of the SIGNTOOL variable gives a good clue of user's
> intentions. Note that the build will also fail if SIGNTOOL is defined
> and signtool.exe is not copied to the correct place
> (../signtool/signtool.exe).
> 

That's fine ... but what Peter raises as a concern, which I do agree to,
is that if James' build system is changed and the driver is not signed,
earlier this would cause to a halt in the building process.  With your
patch, OpenVPN + the driver will be built and not signed.

So it's just to catch that "yes, we want to do a build without signing
the driver" and to really sign-off that explicitly when doing the build.
 As James' should never do a release build without signing the driver.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzdd7gACgkQDC186MBRfrpmGwCfXbMtUuoDmuWXTn5wOeAYy9s9
+BAAoKqWatGOoLIonfuV30UrRCczrKQn
=bSuy
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Peter Stuge]

Samuli Seppänen wrote:
> What if build_all.py did this:
> 
> - Check if SIGNTOOL is enabled in settings.in:
>   - Yes: fail if can't import "sign" module
>   - No: don't fail if can't import "sign" module

This also sounds good. (Who typically creates settings.in? Is one in git?)


//Peter

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/11/10 17:55, Peter Stuge wrote:
> David Sommerseth wrote:
 Modified win/build_all.py so that build does not fail even if
 the optional signtool python class is not available.
>>>
>>> What is it needed for? Is it really *always* optional?
>>
>> If I've understood it correctly, this is related to signing the Windows
>> TUN/TAP driver.
> 
> Right.
> 
> 
>> So if you don't have a signing key/tool available, it is still
>> possible to build the rest of OpenVPN.
> 
> Fine, but this is not really acceptable when James builds OpenVPN,
> so I am requesting a solution that allows them to specify to the
> build process that they want a fatal error if signing is not
> possible.

That's a good point!  I didn't think about this one.

What about that the build script stops up and asks if it should continue
without signing?  And in addition having a command line argument
accepting building without signing?  This latter one is more useful for
automated community builds of the allmerged branch from openvpn-testing.git.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzdcwUACgkQDC186MBRfroz3QCfaejhSR92xYXy6RLHbapbV4Pt
wkYAnR5xpl5fSsIZjTLHF1ZKJHkXnDmS
=WOYo
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Peter Stuge]

David Sommerseth wrote:
> >> Modified win/build_all.py so that build does not fail even if
> >> the optional signtool python class is not available.
> > 
> > What is it needed for? Is it really *always* optional?
> 
> If I've understood it correctly, this is related to signing the Windows
> TUN/TAP driver.

Right.


> So if you don't have a signing key/tool available, it is still
> possible to build the rest of OpenVPN.

Fine, but this is not really acceptable when James builds OpenVPN,
so I am requesting a solution that allows them to specify to the
build process that they want a fatal error if signing is not
possible.


//Peter

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

> Samuli Seppänen wrote:
>   
>> From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001
>> From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
>> Date: Fri, 12 Nov 2010 17:32:19 +0200
>> Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py
>>
>> Modified win/build_all.py so that build does not fail even if the optional
>> signtool python class is not available.
>> 
>
> What is it needed for? Is it really *always* optional? Maybe some
> setting or parameter to the script so that build can fail e.g. at
> openvpn.net if building, where signing should always be done?
>
>
> //Peter
>   
As far as I know driver signing is supposed to be optional. From
"win/settings.in":

# Code Signing.
# If undefined, don't sign any files.
!define SIGNTOOL"../signtool"
!define PRODUCT_SIGN_CN "openvpn"

This "settings.in" contains many other variables used by the
Python-based build system. Looking at the comments one would think that
simply disabling the the SIGNTOOL variable would allow non-signed
builds. This is not the case, hence the patch. I'm as open as it gets to
suggestions how to make the patch better, though :).


-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/11/10 17:36, Peter Stuge wrote:
> Samuli Seppänen wrote:
>> From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001
>> From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
>> Date: Fri, 12 Nov 2010 17:32:19 +0200
>> Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py
>>
>> Modified win/build_all.py so that build does not fail even if the optional
>> signtool python class is not available.
> 
> What is it needed for? Is it really *always* optional? Maybe some
> setting or parameter to the script so that build can fail e.g. at
> openvpn.net if building, where signing should always be done?

If I've understood it correctly, this is related to signing the Windows
TUN/TAP driver.  So if you don't have a signing key/tool available, it
is still possible to build the rest of OpenVPN.  You might even manage
to install the unsigned TUN/TAP driver with some tweaking.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzdcEoACgkQDC186MBRfroGqwCfRZoxPtTfp08Qvs+Uvi3KzjBj
Ts0AnAp3EVN3Ht2u6I6fFQ1QdQ4D+JAD
=yh6e
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Peter Stuge]

Samuli Seppänen wrote:
> From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001
> From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
> Date: Fri, 12 Nov 2010 17:32:19 +0200
> Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py
> 
> Modified win/build_all.py so that build does not fail even if the optional
> signtool python class is not available.

What is it needed for? Is it really *always* optional? Maybe some
setting or parameter to the script so that build can fail e.g. at
openvpn.net if building, where signing should always be done?


//Peter

[Openvpn-devel] [PATCH] Removed hardcoded signtool dependency from win/build_all.py

[Samuli Seppänen]

From 57b983dc2a1f4a31d3b7c0e2f6de7f778d234b2e Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Samuli=20Sepp=C3=A4nen?= 
Date: Fri, 12 Nov 2010 17:32:19 +0200
Subject: [PATCH] Removed hardcoded signtool dependency from win/build_all.py

Modified win/build_all.py so that build does not fail even if the optional
signtool python class is not available.
---
 win/build_all.py |   10 --
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/win/build_all.py b/win/build_all.py
index 92d2bf4..38c1645 100644
--- a/win/build_all.py
+++ b/win/build_all.py
@@ -1,7 +1,6 @@
 from config_all import main as config_all
 from build import main as build_openvpn
 from build_ddk import main as build_ddk
-from sign import main as sign
 from make_dist import main as make_dist
 
 def main(config):
@@ -9,7 +8,14 @@ def main(config):
 build_openvpn()
 build_ddk(config, 'tap', 'all')
 build_ddk(config, 'tapinstall', 'all')
-sign(config, 'all')
+
+# Sign the drivers only if "sign" module is available
+try:
+   from sign import main as sign
+   sign(config, 'all')
+except (ImportError):
+   pass
+
 make_dist(config)
 
 # if we are run directly, and not loaded as a module
-- 
1.6.3.3