Sign IDF Tools installer with 'osslsigncode', update to V1.2

Uninstaller is still unsigned, as currently building and signing in 'wine'
and running Linux osslsigncode inside Inno Setup inside wine is awkward.

Closes https://github.com/espressif/esp-idf/issues/1909
TW20810

diff --git a/.gitignore b/.gitignore
index 3124eb003ae7db9669f9445b81a49d06d776a35a..6982d5fc00916253b63cbf0a5b6ff38ae58e0069 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,7 @@ coverage_report/
 tools/windows/tool_setup/.*
 tools/windows/tool_setup/input
 tools/windows/tool_setup/dl
+tools/windows/tool_setup/keys
 tools/windows/tool_setup/Output
 
 test_multi_heap_host

diff --git a/docs/en/get-started-cmake/windows-setup.rst b/docs/en/get-started-cmake/windows-setup.rst
index c7393c8b91cd2acd82cdb8568a29f9d0e4db8f57..ab1db32dbcf5d606d3d7c20da853071829793a0d 100644 (file)
--- a/docs/en/get-started-cmake/windows-setup.rst
+++ b/docs/en/get-started-cmake/windows-setup.rst
@@ -22,7 +22,7 @@ ESP-IDF Tools Installer
 
 The easiest way to install ESP-IDF's prerequisites is to download the ESP-IDF Tools installer from this URL:
 
-https://dl.espressif.com/dl/esp-idf-tools-setup-1.1.exe
+https://dl.espressif.com/dl/esp-idf-tools-setup-1.2.exe
 
 The installer will automatically install the ESP32 Xtensa gcc toolchain, Ninja_ build tool, and a configuration tool called mconf-idf_. The installer can also download and run installers for CMake_ and Python_ 2.7 if these are not already installed on the computer.
 

diff --git a/tools/windows/tool_setup/build_installer.sh b/tools/windows/tool_setup/build_installer.sh
index 3673d6a2455717d9dac511517c1090ae50f46227..270fa8efd9102aa4a3b5c16de690df585f9b059c 100755 (executable)
--- a/tools/windows/tool_setup/build_installer.sh
+++ b/tools/windows/tool_setup/build_installer.sh
@@ -10,25 +10,58 @@
 # - Runs ISCC under wine to compile the installer itself
 set -e
 
-mkdir -p dl input
-
-cd `dirname $0`
-pushd dl
-wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
-wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
-wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
-wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
-wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
-popd
-
-rm -rf input/*
-pushd input
-unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
-unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
-unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
-unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
-unzip ../dl/ninja-win.zip
-popd
+if [ -z "${KEYPASSWORD}" ]; then
+    echo "KEYPASSWORD should be set"
+    exit 1
+fi
+
+if [ "$1" != "--no-download" ]; then
+
+    mkdir -p dl input
+
+    cd `dirname $0`
+    pushd dl
+    wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
+    wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
+    wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
+    wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
+    wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
+    popd
+
+    rm -rf input/*
+    pushd input
+    unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
+    unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
+    unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
+    unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
+    unzip ../dl/ninja-win.zip
+    popd
+fi
 
 wine "C:\Program Files\Inno Setup 5\ISCC.exe" "`winepath -w ./idf_tool_setup.iss`"
 
+# sign the installer with osslsigncode, parsing the version number out of the
+# installer config
+
+VERSION=`grep "^AppVersion=" idf_tool_setup.iss | cut -d'=' -f2`
+
+echo "Signing installer..."
+
+# Note: The cert chain passed to -certs needs to contain the intermediate
+# cert(s) as well, appended after the code signing cert, or Windows may see
+# it as "Unknown Publisher"
+#
+# See https://stackoverflow.com/a/52637050 for full details
+#
+umask 770  # for the process substitution FIFO
+
+osslsigncode -certs ./keys/certchain.pem -key ./keys/key.pem \
+             -readpass <(echo "$KEYPASSWORD") \
+             -in Output/esp-idf-tools-setup-unsigned.exe \
+             -out Output/esp-idf-tools-setup-${VERSION}.exe \
+             -h sha256 \
+             -n "Espressif Systems (Shanghai) Pte. Ltd." \
+             -i "https://www.espressif.com/" \
+             -ts http://timestamp.digicert.com
+
+chmod 644 Output/esp-idf-tools-setup-${VERSION}.exe  # make up for the umask

diff --git a/tools/windows/tool_setup/idf_tool_setup.iss b/tools/windows/tool_setup/idf_tool_setup.iss
index a98bd40341230101699726a58a7a81404abca831..5ca48ab477125e7f033b98d63c2eb2d04794c4a1 100644 (file)
--- a/tools/windows/tool_setup/idf_tool_setup.iss
+++ b/tools/windows/tool_setup/idf_tool_setup.iss
@@ -2,8 +2,8 @@
 
 [Setup]
 AppName=ESP-IDF Tools
-OutputBaseFilename=esp-idf-tools-setup-1.1
 AppVersion=1.2
+OutputBaseFilename=esp-idf-tools-setup-unsigned
 
 DefaultDirName={pf}\Espressif\ESP-IDF Tools
 DefaultGroupName=ESP-IDF Tools