From d3bbc5241363d5fa4e749fe509c97c12501ae966 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Fri, 21 Dec 2018 13:48:18 -0800 Subject: Enable signing Windows builds with SHA1 environment variable (GH-11279) --- PCbuild/pyproject.props | 5 +++-- Tools/msi/sdktools.psm1 | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/PCbuild/pyproject.props b/PCbuild/pyproject.props index cf85e1b..b058016 100644 --- a/PCbuild/pyproject.props +++ b/PCbuild/pyproject.props @@ -187,10 +187,11 @@ public override bool Execute() { $(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86 $(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\ <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)" + <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)" <_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe" - - + + diff --git a/Tools/msi/sdktools.psm1 b/Tools/msi/sdktools.psm1 index 81a74d3..61edb34 100644 --- a/Tools/msi/sdktools.psm1 +++ b/Tools/msi/sdktools.psm1 @@ -21,6 +21,9 @@ function Sign-File { $description = "Python"; } } + if (-not $certsha1) { + $certsha1 = $env:SigningCertificateSha1; + } if (-not $certname) { $certname = $env:SigningCertificate; } @@ -32,7 +35,7 @@ function Sign-File { if ($certsha1) { SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a } elseif ($certname) { - SignTool sign /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a + SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a } elseif ($certfile) { SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a } else { -- cgit v0.12