Merge pull request #18 from mlocati/test-signpath

Sign binaries with SignPath
mlocati · Oct 2, 2024 · 198a2db · 198a2db
2 parents 4f56b6a + bc140c6
commit 198a2db
Show file tree

Hide file tree

Showing 9 changed files with 544 additions and 96 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/.vscode/launch.json
diff --git a/README.md b/README.md
@@ -8,3 +8,18 @@ The tools are built with the [`build` GitHub Action](https://github.com/mlocati/
 You can download them from [the releases page](https://github.com/mlocati/gettext-iconv-windows/releases) or from the [project homepage](https://mlocati.github.io/articles/gettext-iconv-windows.html).
 
 Please refer to the official manuals for support: [here for iconv](https://www.gnu.org/software/libiconv/) and [here for gettext](https://www.gnu.org/software/gettext/).
+
+
+## Code Signing Policy
+
+Starting with gettext v0.22.5 / iconv v1.17, the build DLLs and executables are signed.
+
+Free code signing is provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/).
+
+The source code of gettext and iconv is created and maintained by the [Free Software Foundation](https://www.fsf.org/).
+
+This gettext-iconv-windows project only compile gettext and iconv for Windows, and is maintained by [Michele Locati](https://mlocati.github.io).
+
+## Privacy policy
+
+The gettext and iconv tools do not collect personal data: they are used solely for local work.
diff --git a/build-exe/check-signature.ps1 b/build-exe/check-signature.ps1
@@ -0,0 +1,91 @@
+# Script that checks if a file (or the files in a directory) is signed
+
+param (
+    [Parameter(Mandatory = $true)]
+    [ValidateLength(1, [int]::MaxValue)]
+    [string] $Path,
+    [Parameter(Mandatory = $true)]
+    [bool] $CanBeInvalid
+)
+
+function Test-CanFileBeSigned()
+{
+    [OutputType([bool])]
+    param(
+        [Parameter(Mandatory = $true)]
+        [System.IO.FileInfo] $file
+    )
+    $excludedNames = @(
+        # Files missing details
+        # - see https://signpath.org/terms#signpath-configuration-requirements
+        # - see https://lists.gnu.org/archive/html/bug-gettext/2024-09/msg00049.html
+        'libcharset-*.dll',
+        'libgettextlib-*.dll',
+        'libgettextpo-*.dll',
+        'libgettextsrc-*.dll',
+        # MinGW-w64 files:
+        # - see https://signpath.org/terms#conditions-for-what-can-be-signed
+        # - see https://signpath.org/terms#signpath-configuration-requirements
+        # - see https://sourceforge.net/p/mingw-w64/mailman/message/58822390/
+        # - see https://github.com/niXman/mingw-builds/issues/684
+        'libatomic-*.dll', # mingw64-i686-gcc-core, mingw64-x86_64-gcc-core
+        'libgcc_s_seh-*.dll', # mingw64-x86_64-gcc-core
+        'libgcc_s_sjlj-*.dll', # mingw64-i686-gcc-core
+        'libgomp-*.dll', # mingw64-i686-gcc-core, mingw64-x86_64-gcc-core
+        'libquadmath-*.dll', # mingw64-i686-gcc-core, mingw64-x86_64-gcc-core
+        'libssp-*.dll', # mingw64-i686-gcc-core, mingw64-x86_64-gcc-core
+        'libstdc++-*.dll', # mingw64-i686-gcc, mingw64-x86_64-gcc-g++
+        'libwinpthread-*.dll' # mingw64-i686-winpthreads, mingw64-x86_64-winpthreads
+    )
+    foreach ($excludedName in $excludedNames) {
+        if ($file.Name -like $excludedName) {
+            return $false
+        }
+    }
+
+    return $true
+}
+
+function Test-File()
+{
+    param(
+        [Parameter(Mandatory = $true)]
+        [System.IO.FileInfo] $file
+    )
+    Write-Host -Object "$($file.Name)... " -NoNewLine
+    if (-not(Test-CanFileBeSigned $file)) {
+        Write-Host -Object 'skipped.'
+    } else {
+        $signature = Get-AuthenticodeSignature -FilePath $file.FullName
+        $signatureType = $signature.SignatureType
+        switch ($signatureType) {
+            { 'Authenticode', 'Catalog' -eq $_ }  {
+                $signatureStatus = $signature.Status
+                if ($signatureStatus -ne 'Valid' -and -not($CanBeInvalid)) {
+                    throw $signature.StatusMessage
+                }
+                Write-Host -Object "signed ($signatureType, $signatureStatus)"
+            }
+            'None' {
+                throw "$($file.FullName) is not signed"
+            }
+            default {
+                throw "$($file.FullName) has an unknown signature ($signatureType)"
+            }
+        }
+    }
+}
+
+if (Test-Path -LiteralPath $Path -PathType Leaf) {
+    $file = Get-Item -LiteralPath $Path
+    Test-File $file
+} elseif (Test-Path -LiteralPath $Path -PathType Container) {
+    foreach ($filter in @('*.exe', '*.dll')) {
+        $files = Get-ChildItem -LiteralPath $Path -File -Filter $filter -Recurse
+        foreach ($file in $files) {
+            Test-File $file
+        }
+    }
+} else {
+    throw "Unable to find the file or directory $Path"
+}
diff --git a/build-exe/create-installer.iss b/build-exe/create-installer.iss
@@ -9,7 +9,7 @@
 
 [Setup]
 AppId=gettext-iconv
-AppName="gettext + iconv - {#MyVersionShownName}"
+AppName="gettext + iconv"
 AppVerName="gettext {#MyGettextVer} + iconv {#MyIconvVer} - {#MyVersionShownName}"
 DefaultDirName={commonpf}\gettext-iconv
 AppPublisher=Michele Locati
@@ -25,6 +25,7 @@ Compression=lzma2/max
 LicenseFile={#MyCompiledFolderPath}\license.txt
 OutputDir=setup
 OutputBaseFilename=gettext{#MyGettextVer}-iconv{#MyIconvVer}-{#MyVersionCodeName}
+VersionInfoProductTextVersion=1.0
 
 [Files]
 Source: "{#MyCompiledFolderPath}\*.*"; DestDir: "{app}"; Flags: recursesubdirs

diff --git a/build-exe/create-installer.ps1 b/build-exe/create-installer.ps1
@@ -17,6 +17,9 @@ param (
     [string] $OutputDirectory
 )
 
+$SourceDirectory = [System.IO.Path]::GetFullPath($SourceDirectory)
+$OutputDirectory = [System.IO.Path]::GetFullPath($OutputDirectory)
+
 function GetIssSourceFile()
 {
     [OutputType([string])]

diff --git a/build-exe/create-output.sh b/build-exe/create-output.sh
@@ -78,21 +78,23 @@ fi
 
 mkdir -p "$DESTINATION/share/gettext"
 
-copyFile "$SOURCE/cldr-license.txt" text
 copyFile "$SOURCE/iconv-license.txt" text
-copyFile "$SOURCE/gettext-license.txt" text
 for i in $(find "$SOURCE/bin/" -name '*.exe' -o -name '*.dll'); do
     copyFile "$i" binary
 done
-copyFile "$SOURCE/lib/gettext/cldr-plurals.exe" binary bin/cldr-plurals.exe
 if [ -f "$SOURCE/lib/charset.alias" ]; then
     copyFile "$SOURCE/lib/charset.alias"
 fi
 for i in $(find "$SOURCE/share/doc" -maxdepth 2 -type f ! -iname '*.3.html' ! -iname 'autopoint.1.html' ! -iname 'gettextize.1.html'); do
     copyFile "$i" doc
 done
-cp -r "$SOURCE/share/locale" "$DESTINATION/share/"
-cp -r "$SOURCE/share/gettext/styles" "$DESTINATION/share/gettext/"
-cp -r $SOURCE/share/gettext-*/its "$DESTINATION/share/gettext"
-copyFile "$SOURCE/share/gettext/msgunfmt.tcl"
-copyFile "$SOURCE/cldr-plurals.xml" '' lib/gettext/common/supplemental/plurals.xml
+if [ "${BUILD_ONLY_ICONV:-}" != y ]; then
+    copyFile "$SOURCE/cldr-license.txt" text
+    copyFile "$SOURCE/gettext-license.txt" text
+    copyFile "$SOURCE/lib/gettext/cldr-plurals.exe" binary bin/cldr-plurals.exe
+    cp -r "$SOURCE/share/locale" "$DESTINATION/share/"
+    cp -r "$SOURCE/share/gettext/styles" "$DESTINATION/share/gettext/"
+    cp -r $SOURCE/share/gettext-*/its "$DESTINATION/share/gettext"
+    copyFile "$SOURCE/share/gettext/msgunfmt.tcl"
+    copyFile "$SOURCE/cldr-plurals.xml" '' lib/gettext/common/supplemental/plurals.xml
+fi
diff --git a/build-exe/process-dependencies.ps1 b/build-exe/process-dependencies.ps1
@@ -74,6 +74,56 @@ function Get-Dependencies()
     $dependencies | Sort-Object
 }
 
+function Get-ImportedFunctions()
+{
+    [OutputType([string[]])]
+    param(
+        [Parameter(Mandatory = $true)]
+        [System.IO.FileInfo] $importer,
+        [Parameter(Mandatory = $true)]
+        [System.IO.FileInfo] $dllName
+    )
+    $dumpbinResult = & "$dumpbin" /NOLOGO /DEPENDENTS $importer.FullName "/IMPORTS:$dllName"
+    if (-not($?)) {
+        throw "dumpbin failed to analyze the file $($importer)"
+    }
+    $state = 0
+    $result = @()
+    foreach ($line in $dumpbinResult) {
+        if ($line -eq '') {
+            continue
+        }
+        if ($line -match '^ *Summary$') {
+            break;
+        }
+        if ($state -eq 0) {
+            if ($line -match '^\s*Section contains the following imports:\s*$') {
+                $state = 1
+            }
+        } elseif ($state -eq 1) {
+            if ($line -like "* $dllName") {
+                $state = 2
+            }
+        } elseif (-not($line -match '^       .*')) {
+            break
+        } elseif ($state -eq 2) {
+             if ($line -match '^\s*\d+\s+Index of first forwarder reference$') {
+                $state = 3
+             }
+        } else {
+            if ($state -ne 3)  {
+                throw 'Processing failed'
+            }
+            if (-not($line -match '^\s*[0-9A-Fa-f]+\s*(\w+)$')) {
+                throw 'Processing failed'
+            }
+            $result += $matches[1]
+        }
+    }
+    return $result
+}
+
+
 class Binary
 {
     [System.IO.FileInfo] $File
@@ -87,7 +137,7 @@ class Binary
 
 class Binaries
 {
-    [bool] $MinGWFilesAdded = $false
+    [string[]] $MinGWFilesAdded = @()
 
     [Binary[]] $Items
 
@@ -164,7 +214,7 @@ class Binaries
                 $newFile = Get-ChildItem -LiteralPath $newFilePath -File
                 $newBinary = [Binary]::new($newFile)
                 $this.Add($newBinary)
-                $this.MinGWFilesAdded = $true
+                $this.MinGWFilesAdded += $dependency
             }
         }
     }
@@ -182,6 +232,23 @@ class Binaries
                 Write-Host -Object '  (none)'
             }
         }
+        if ($this.MinGWFilesAdded) {
+            Write-Host -Object ''
+            foreach ($minGWFileAdded in $this.MinGWFilesAdded) {
+                Write-Host -Object "$minGWFileAdded added beause:"
+                foreach ($binary in $binaries) {
+                    $functions = Get-ImportedFunctions $binary.File $minGWFileAdded
+                    if (-not($functions)) {
+                        continue
+                    }
+                    if ($this.MinGWFilesAdded -contains $binary.File.Name.ToLowerInvariant()) {
+                        Write-Host -Object "  - $($binary.File.Name) requires it"
+                    } else {
+                        Write-Host -Object "  - $($binary.File.Name) uses its functions: $($functions -join ', ')"
+                    }
+                }
+            }
+        }
     }
 }
 
@@ -201,7 +268,7 @@ $binaries.AddMingwDlls($mingwBinPath)
 if ($binaries.MinGWFilesAdded) {
     Write-Host -Object "Adding MinGW-w64 license"
     $mingwLicenseFile = Join-Path -Path $OutputPath -ChildPath 'mingw-w64-license.txt'
-    $mingwLicense = $(Invoke-WebRequest -Uri 'https://sourceforge.net/p/mingw-w64/mingw-w64/ci/master/tree/COPYING.MinGW-w64-runtime/COPYING.MinGW-w64-runtime.txt?format=raw').ToString()
+    $mingwLicense = $(Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/niXman/mingw-builds/refs/heads/develop/COPYING.TXT').ToString()
     $mingwLicense -ireplace "`r`n","`n" -ireplace "`n","`r`n" | Set-Content -LiteralPath $mingwLicenseFile -NoNewline -Encoding utf8
 }