diff --git a/Greenshot/releases/additional_files/readme.txt.template b/Greenshot/releases/additional_files/readme.txt.template index ee51c4254..699607d51 100644 --- a/Greenshot/releases/additional_files/readme.txt.template +++ b/Greenshot/releases/additional_files/readme.txt.template @@ -30,6 +30,7 @@ Fixed: * FEATURE-919: Allow adding of space around screenshot (use Ctrl + / Ctrl -) * FEATURE-945: Added environment variables resolving to the external command * FEATURE-949: Updated to Inno-Setup 5.5.9 for improved installer security +* FEATURE-958: Added code-signing of Greenshot and the installer, this should help preventing security issues Open issues planned for this version: BUG-1872: OneDrive prevents Greenshot hotkeys from working diff --git a/Greenshot/releases/innosetup/setup.iss.template b/Greenshot/releases/innosetup/setup.iss.template index 9632c3f93..c38663d86 100644 --- a/Greenshot/releases/innosetup/setup.iss.template +++ b/Greenshot/releases/innosetup/setup.iss.template @@ -1,6 +1,7 @@ #define ExeName "Greenshot" #define Version "@VERSION@" #define FileVersion "@FILEVERSION@" +#define CertificatePassword GetEnv('CertificatePassword') ; Include the scripts to install .NET Framework ; See http://www.codeproject.com/KB/install/dotnetfx_innosetup_instal.aspx @@ -127,6 +128,11 @@ OutputBaseFilename={#ExeName}-INSTALLER-{#FileVersion} OutputDir=..\ PrivilegesRequired=none SetupIconFile=..\..\icons\applicationIcon\icon.ico +; Create a SHA1 signature +SignTool=SignTool sign /debug /fd sha1 /a /f ..\..\..\Greenshot.pfx /p {#CertificatePassword} /tr http://time.certum.pl /td sha1 $f +; Append a SHA256 to the previous SHA1 signature (this is what as does) +SignTool=SignTool sign /as /debug /fd sha256 /a /f ..\..\..\Greenshot.pfx /p {#CertificatePassword} /a /tr http://time.certum.pl /td sha256 $f +SignedUninstaller=yes UninstallDisplayIcon={app}\{#ExeName}.exe Uninstallable=true VersionInfoCompany={#ExeName} diff --git a/build.ps1 b/build.ps1 index 2a5b4fb6c..726f075a3 100644 --- a/build.ps1 +++ b/build.ps1 @@ -23,8 +23,19 @@ ################################################################ $version=$env:APPVEYOR_BUILD_VERSION +if ( !$version ) { + $version = "1.3.0.0" +} + $buildType=$env:build_type +if ( !$buildType ) { + $buildType = "local" +} + $gitcommit=$env:APPVEYOR_REPO_COMMIT +if ( !$gitcommit ) { + $gitcommit = "abcdefghijklmnopqrstuvwxy" +} $gitcommit=$gitcommit.SubString(0, [math]::Min($gitcommit.Length, 7)) $detailversion=$version + '-' + $gitcommit + " " + $buildType $release=(([version]$version).build) % 2 -eq 1 @@ -40,6 +51,27 @@ Function MD5($filename) { return [System.BitConverter]::ToString($hash) -replace "-", "" } +# Write the certificate to the file system, so signtool can use it +Function PrepareCertificate() { + $decodedContentBytes = [System.Convert]::FromBase64String($env:Certificate) + $decodedContentBytes | set-content "greenshot.pfx" -encoding byte +} + +# Sign the file with Signtool before they are packed in the installer / .zip etc +Function SignBinaryFilesBeforeBuildingInstaller() { + $sourcebase = "$(get-location)\Greenshot\bin\Release" + + $INCLUDE=@("*.exe", "*.gsp", "*.dll") + Get-ChildItem -Path "$sourcebase" -Recurse -Include $INCLUDE | foreach { + Write-Host "Signing $_" + $signSha1Arguments = @('sign', '/fd ', 'sha1', '/a', '/f', "$(get-location)\Greenshot.pfx", '/p', $env:CertificatePassword, '/tr', 'http://time.certum.pl', '/td', 'sha1', $_) + $signSha256Arguments = @('sign', '/as', '/fd ', 'sha256', '/a', '/f', "$(get-location)\Greenshot.pfx", '/p', $env:CertificatePassword, '/tr', 'http://time.certum.pl', '/td', 'sha256', $_) + + Start-Process -wait -PassThru $env:SignTool -ArgumentList $signSha1Arguments -NoNewWindow + Start-Process -wait -PassThru $env:SignTool -ArgumentList $signSha256Arguments -NoNewWindow + } +} + # Fill the templates Function FillTemplates { Write-Host "Filling templates for version $detailversion`n`n" @@ -237,7 +269,8 @@ Function PackageInstaller { $innoSetup = "$(get-location)\packages\Tools.InnoSetup.5.5.9\tools\ISCC.exe" $innoSetupFile = "$(get-location)\greenshot\releases\innosetup\setup.iss" Write-Host "Starting $innoSetup $innoSetupFile" - $setupResult = Start-Process -wait -PassThru "$innoSetup" -ArgumentList "$innoSetupFile" -NoNewWindow -RedirectStandardOutput "$setupOutput.log" -RedirectStandardError "$setupOutput.error" + $arguments = @("/SSignTool=""$env:SignTool `$p""", $innoSetupFile) + $setupResult = Start-Process -wait -PassThru "$innoSetup" -ArgumentList $arguments -NoNewWindow -RedirectStandardOutput "$setupOutput.log" -RedirectStandardError "$setupOutput.error" Write-Host "Log output:" Get-Content "$setupOutput.log"| Write-Host if ($setupResult.ExitCode -ne 0) { @@ -274,9 +307,14 @@ Function TagCode { FillTemplates echo "Generating MD5" - MD5Checksums | Set-Content "$(get-location)\Greenshot\bin\Release\checksum.MD5" -encoding UTF8 +echo "Preparing certificate" +PrepareCertificate + +echo "Signing executables" +SignBinaryFilesBeforeBuildingInstaller + echo "Generating Installer" PackageInstaller