09fe2d9 release: update docs to show basic codesigning procedure (Cory Fields)
f642753 release: create a bundle for the new signing script (Cory Fields)
0068361 release: add win detached sig creator and our cert chain (Cory Fields)
Tree-SHA512: 032ad84697c70faaf857b9187f548282722cffca95d658e36413dc048ff02d9183253373254ffcc1158afb71140753f35abfc9fc8781ea5329c04d13c98759c0
Also change the mac filename to match
The procedure remains the same, but now there's a nifty script to automate
the signing process.
Future steps:
- Build osslsigncode in the gitian-win descriptor so that the signer itself is
deterministic.
- Verify in the gitian-win-signer descriptor that the expected cert chain was
used.
Ubuntu 16.04 "xenial xerus" does not come with Python 2.x by default.
It is possible to install a python-2.7 package, but this has its own
problem: no `python` or `python2` symlink (see #7717).
This fixes the following scripts to work with python 3:
- `make check` (bctest,py, bitcoin-util-test.py)
- `make translate` (extract_strings_qt.py)
- `make symbols-check` (symbol-check.py)
- `make security-check` (security-check.py)
Explicitly call the python commands using $(PYTHON) instead
of relying on the interpreter line at the top of the scripts.
Rather than fetching a signature.tar.gz from somewhere on the net, instruct
Gitian to use a signature from a tag in the bitcoin-detached-sigs repository
which corresponds to the tag of the release being built.
This changes detached-sig-apply.sh to take a dirname rather than a tarball as
an argument, though detached-sig-create.sh still outputs a tarball for
convenience.
Code signing failed for me on OSX 10.9.5 because the
Versions/Current symbolic links were being replaced
with a duplicate copy of the frameworks' code.
Releases were bigger than they needed to be, for the
same reason.
The approach from 65f3fa8d1 worked for signing on 10.9.4, but not newer
versions. 10.9.5 (and up) want each framework to stand alone.
Now in addition to copying the plist's from Qt for each framework, we put them
in per-version dirs and only symlink to the latest, rather than using symlinks
for any contents.
Starting with 10.9, Framework versions must be signed individually, rather
than as a single bundle version, in order to be properly codesigned. This
change ensures that the proper plist files and symlinks are present prior to
packaging.
When QT is linked statically, macdeploy can't infer its paths. While plugins
and frameworks don't need to be packaged, translations still do (for now).