Codesigning On Windows

From Audacity Wiki
Jump to: navigation, search
This page is about codesigning on windows for release builds.

The Dongle

If you plan to codesign on Windows, you will need a USB dongle (smart card reader), so plan in advance to allow time for delivery.

  • The dongle is both a card reader AND a USB key.
  • Printed instructions are too brief/incomplete to be useful.
  • Real instructions for using it are in the USB key itself, strangely in the directory marked 'bin'
Bulb icon When things get their most complicated, instructions on the website turn into Polish, so you are advised to either learn Polish before you start, or be ready to use Google-translate or a little guesswork about the English URL equivalent.
Bulb icon The card reader may not always be recognised by the card reader utility as a card reader when you plug it in. The card reader name in that GUI will be blank with nothing in the drop-down. If that happens:
  • Unplug the card reader, wait a moment and plug it back in.

Activating the Cert

You will need the latest Java with all security patches.

  • If you have not used Java ever, or not for a while, you will almost certainly need to update it.
  • Update it before you try to activate, as without that it is confusing as to why the process has stalled.
    • (the window asking you to install/update Java may appear behind your browser window)

Registering the Cert on Windows

Bulb icon The instructions for registering the cert are not quite accurate. They show a button that does not exist in the card reader GUI.

Instead:

  • Click on the button 'Detailed Information'. Then
  • Click on register Cert.

The cert will be registered in the repository.

Documentation

You will need to scan:

  • A page from you passport
  • A recent utility bill or credit card statement

Signing the Installer

This is how signing used to work....

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /f .\<YourCert>.p12 /p <YourPassword> /fd SHA256 <path-to-audacity-git>\win\Output\audacity-win-2.3.0.exe

The new way, using the dongle and setting a timestamp:

signtool sign /n "James Crook" /t http://time.certum.pl/ /fd sha256 /v <path-to-audacity-git>\win\Output\audacity-win-2.3.0.exe
Bulb icon To test the signing, upload the installer to dropbox and then download it again. Then double-click to open. When you launch Audacity, you now get a warning about having downloaded from the internet, with the identity of the signing key shown.