• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

codesign/H03-May-2022-1,8101,041

config/H03-May-2022-2917

README.mdH A D17-Aug-20202.2 KiB7049

buildbot_utils.pyH A D30-Oct-20204.7 KiB13080

codesign_server_linux.pyH A D17-Feb-20201.3 KiB389

codesign_server_macos.pyH A D22-Jul-20201.5 KiB4216

codesign_server_windows.batH A D17-Feb-2020295 127

codesign_server_windows.pyH A D22-Jul-20201.8 KiB5519

worker_bundle_dmg.pyH A D17-Aug-202016.2 KiB552370

worker_codesign.cmakeH A D17-Aug-20201.6 KiB4540

worker_codesign.pyH A D17-Aug-20202.6 KiB7519

worker_compile.pyH A D30-Oct-20205.5 KiB13671

worker_pack.pyH A D30-Oct-20207 KiB209123

worker_test.pyH A D30-Oct-20201.3 KiB4315

worker_update.pyH A D17-Aug-20201.2 KiB328

README.md

1Blender Buildbot
2================
3
4Code signing
5------------
6
7Code signing is done as part of INSTALL target, which makes it possible to sign
8files which are aimed into a bundle and coming from a non-signed source (such as
9libraries SVN).
10
11This is achieved by specifying `worker_codesign.cmake` as a post-install script
12run by CMake. This CMake script simply involves an utility script written in
13Python which takes care of an actual signing.
14
15### Configuration
16
17Client configuration doesn't need anything special, other than variable
18`SHARED_STORAGE_DIR` pointing to a location which is watched by a server.
19This is done in `config_builder.py` file and is stored in Git (which makes it
20possible to have almost zero-configuration buildbot machines).
21
22Server configuration requires copying `config_server_template.py` under the
23name of `config_server.py` and tweaking values, which are platform-specific.
24
25#### Windows configuration
26
27There are two things which are needed on Windows in order to have code signing
28to work:
29
30- `TIMESTAMP_AUTHORITY_URL` which is most likely set http://timestamp.digicert.com
31- `CERTIFICATE_FILEPATH` which is a full file path to a PKCS #12 key (.pfx).
32
33## Tips
34
35### Self-signed certificate on Windows
36
37It is easiest to test configuration using self-signed certificate.
38
39The certificate manipulation utilities are coming with Windows SDK.
40Unfortunately, they are not added to PATH. Here is an example of how to make
41sure they are easily available:
42
43```
44set PATH=C:\Program Files (x86)\Windows Kits\10\App Certification Kit;%PATH%
45set PATH=C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64;%PATH%
46```
47
48Generate CA:
49
50```
51makecert -r -pe -n "CN=Blender Test CA" -ss CA -sr CurrentUser -a sha256 ^
52         -cy authority -sky signature -sv BlenderTestCA.pvk BlenderTestCA.cer
53```
54
55Import the generated CA:
56
57```
58certutil -user -addstore Root BlenderTestCA.cer
59```
60
61Create self-signed certificate and pack it into PKCS #12:
62
63```
64makecert -pe -n "CN=Blender Test SPC" -a sha256 -cy end ^
65         -sky signature ^
66         -ic BlenderTestCA.cer -iv BlenderTestCA.pvk ^
67         -sv BlenderTestSPC.pvk BlenderTestSPC.cer
68
69pvk2pfx -pvk BlenderTestSPC.pvk -spc BlenderTestSPC.cer -pfx BlenderTestSPC.pfx
70```