1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#############################################################################
#
# Copyright (C) 2023 The Qt Company Ltd.
# Contact: https://www.qt.io/licensing/
#
# This file is part of the release tools of the Qt Toolkit.
#
# $QT_BEGIN_LICENSE:GPL-EXCEPT$
# Commercial License Usage
# Licensees holding valid commercial Qt licenses may use this file in
# accordance with the commercial license agreement provided with the
# Software or, alternatively, in accordance with the terms contained in
# a written agreement between you and The Qt Company. For licensing terms
# and conditions see https://www.qt.io/terms-conditions. For further
# information use the contact form at https://www.qt.io/contact-us.
#
# GNU General Public License Usage
# Alternatively, this file may be used under the terms of the GNU
# General Public License version 3 as published by the Free Software
# Foundation with exceptions as appearing in the file LICENSE.GPL3-EXCEPT
# included in the packaging of this file. Please review the following
# information to ensure the GNU General Public License requirements will
# be met: https://www.gnu.org/licenses/gpl-3.0.html.
#
# $QT_END_LICENSE$
#
#############################################################################
import argparse
import os
import subprocess
import sys
from configparser import ConfigParser
from datetime import datetime
from pathlib import Path
from subprocess import DEVNULL
from time import time
from typing import List
import pysftp # type: ignore
from cryptography.fernet import Fernet
from installer_utils import PackagingError
from logging_util import init_logger
log = init_logger(__name__, debug_mode=False)
timestamp = datetime.fromtimestamp(time()).strftime('%Y-%m-%d--%H:%M:%S')
def _get_home_dir() -> str:
home_dir = os.getenv("HOME") or os.getenv("USERPROFILE")
if not home_dir:
raise PackagingError("Failed to determine home directory.")
return home_dir
def _get_private_key() -> bytes:
log.info("Return the private key in the build agent")
k_path = Path(_get_home_dir(), "sshkeys", os.environ["ID_RSA_FILE"]).resolve(strict=True)
with open(k_path, "rb") as private_key:
return private_key.read()
def _get_decrypt_key() -> bytes:
log.info("Return the pre-generated Fernet key")
k_path = Path(os.environ["PKG_NODE_ROOT"], os.environ["FILES_SHARE_PATH"]).resolve(strict=True)
with open(k_path, "rb") as decrypt_key:
return decrypt_key.read()
def _handle_signing(file_path: str) -> None:
config = ConfigParser()
config.read(os.path.basename(os.environ["WINDOWS_SIGNKEYS_PATH"]))
section = config.sections()[0]
if section in config:
kvu = config[section]['kvu']
kvi = config[section]['kvi']
kvs = config[section]['kvs']
kvc = config[section]['kvc']
tr_sect = config[section]['tr']
cmd_args_sign = ["AzureSignTool.exe", "sign", "-kvu", kvu, "-kvi", kvi, "-kvs", kvs, "-kvc", kvc, "-tr", tr_sect, "-v", file_path]
log_entry = cmd_args_sign[:]
log_entry[3] = "****"
log_entry[5] = "****"
log_entry[7] = "****"
log_entry[9] = "****"
log_entry[11] = "****"
log.info("Calling: %s", ' '.join(log_entry))
sign_result = subprocess.run(cmd_args_sign, stdout=DEVNULL, stderr=DEVNULL, check=False)
if sign_result.returncode != 0:
raise PackagingError(f"Package {file_path} signing with error {sign_result.returncode}")
log.info("Successfully signed: %s", file_path)
signtool = Path(os.environ["WINDOWS_SIGNTOOL_X64_PATH"]).name
cmd_args_verify: List[str] = [signtool, "verify", "-pa", file_path]
verify_result = subprocess.run(cmd_args_verify, stdout=DEVNULL, stderr=DEVNULL, check=False)
if verify_result.returncode != 0:
raise PackagingError(f"Failed to verify {file_path} with error {verify_result.returncode}")
log.info("Successfully verified: %s", file_path)
def decrypt_private_key() -> str:
log.info("decrypt private key using pre-generated Fernet key")
key = _get_decrypt_key()
fernet = Fernet(key)
decrypted_key = fernet.decrypt(_get_private_key())
temp_key_path = os.environ["PKG_NODE_ROOT"]
temp_file = os.path.join(temp_key_path, "temp_keyfile")
with open(temp_file, 'wb') as outfile:
outfile.write(decrypted_key)
return temp_file
def download_signing_tools(path_to_key: str) -> None:
try:
cnopts = pysftp.CnOpts()
cnopts.hostkeys = None
with pysftp.Connection(os.getenv("SFTP_ADDRESS"), username=os.getenv("SFTP_USER"), private_key=path_to_key, cnopts=cnopts) as sftp:
sftp.get(os.getenv("WINDOWS_SIGNKEYS_PATH"))
sftp.get(os.getenv("WINDOWS_SIGNTOOL_X64_PATH"))
except pysftp.SSHException:
raise PackagingError("FTP authentication failed!") from None
def sign_executable(file_path: str) -> None:
log.info("Signing: %s", file_path)
try:
key_path: str = decrypt_private_key()
download_signing_tools(key_path)
path = Path(file_path)
if path.is_dir():
for subpath in path.rglob('*'):
if subpath.is_file() and subpath.suffix in ['.exe', '.dll', '.pyd']:
_handle_signing(str(subpath))
else:
_handle_signing(file_path)
finally:
# cleanup temporary files
if "key_path" in locals():
os.remove(key_path)
os.remove(os.path.basename(os.environ["WINDOWS_SIGNKEYS_PATH"]))
os.remove(os.path.basename(os.environ["WINDOWS_SIGNTOOL_X64_PATH"]))
def main() -> None:
"""Main"""
parser = argparse.ArgumentParser(prog="Codesign Windows executables and DLLs")
parser.add_argument("--file", dest="file_to_sign", required=True, help="File or directory to sign")
args = parser.parse_args(sys.argv[1:])
sign_executable(args.file_to_sign)
if __name__ == "__main__":
main()
|
