Enable signing Windows builds with SHA1 environment variable (GH-11279)

d3bbc524 · Steve Dower · GitHub · f0af4c54 · d3bbc524 · d3bbc524
Commit d3bbc524 authored Dec 21, 2018 by Steve Dower Committed by GitHub Dec 21, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

PCbuild/pyproject.props PCbuild/pyproject.props +3 -2

Tools/msi/sdktools.psm1 Tools/msi/sdktools.psm1 +4 -1

No files found.
--- a/PCbuild/pyproject.props
+++ b/PCbuild/pyproject.props
@@ -187,10 +187,11 @@ public override bool Execute() {
    <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86</SdkBinPath>
    <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\</SdkBinPath>
    <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
+    <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
    <_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
  </PropertyGroup>
-  
-  <Target Name="_SignBuild" AfterTargets="AfterBuild" Condition="'$(SigningCertificate)' != '' and $(SupportSigning)">
+
+  <Target Name="_SignBuild" AfterTargets="AfterBuild" Condition="'$(_SignCommand)' != '' and $(SupportSigning)">
    <Error Text="Unable to locate signtool.exe. Set /p:SignToolPath and rebuild" Condition="'$(_SignCommand)' == ''" />
    <Exec Command='$(_SignCommand) "$(TargetPath)" || $(_SignCommand) "$(TargetPath)" || $(_SignCommand) "$(TargetPath)"' ContinueOnError="false" />
  </Target>

--- a/Tools/msi/sdktools.psm1
+++ b/Tools/msi/sdktools.psm1
@@ -21,6 +21,9 @@ function Sign-File {
            $description = "Python";
        }
    }
+    if (-not $certsha1) {
+        $certsha1 = $env:SigningCertificateSha1;
+    }
    if (-not $certname) {
        $certname = $env:SigningCertificate;
    }
@@ -32,7 +35,7 @@ function Sign-File {
        if ($certsha1) {
            SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
        } elseif ($certname) {
-            SignTool sign /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
+            SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
        } elseif ($certfile) {
            SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
        } else {