Fedora Media Writer Building and Signing

Description

Whenever a new version of Fedora Media Writer is available, it is required to build and code sign it.

Action

Windows

#. Get a windows code signing key from private ansible repository. It is in the ansible-private/files/code-signing/ directory

  1. Convert the .cert formatted certificate to .pxf format:

    $ openssl pkcs12 -export -in code-signing.crt -inkey code-signing.key -out authenticode.pfx
  2. Clone the Fedora Media Writer git repo:

    $ git clone https://github.com/MartinBriza/MediaWriter.git
  3. Checkout the release tag for which the executable to be created:

    $ git checkout tags/<release_number>
  4. The script to build and sign the executable is available at dist/win/build.sh

  5. Get the mingw-mediawriter from koji. Make sure the version is the one that needs building and signing.

  6. Install the remaining packages that are listed under PACKAGES variable in build.sh script.

  7. Export CERTPATH to the location where the .pfx file is located and make sure its named as authenticode.pfx and export CERTPASS to the file that contains the password used in creating .pvk file.

  8. Run the build.sh script:

    $ ./build.sh

Verification

The FedoraMediaWriter-win32-<release_number>.exe is located under dist/win/ directory.

OS X:

Build:

  1. install xcode 8.1 from apple store.

  2. Open a terminal and run the following commands

    :

    $ git clone https://github.com/MartinBriza/MediaWriter $ cd MediaWriter $ mkdir build $ cd build $ $QT_PREFIX/$QT_VERSION/clang64/bin/qmake .. $ make $ cp build/helper/mac/helper.app/Contents/MacOS/helper build/app/FedoraMediaWriter.app/Contents/MacOS/ $ cd build/app $ $QT_PREFIX/$QT_VERSION/clang_64/bin/macdeployqt "Fedora Media Writer.app" -executable="Fedora Media Writer.app/Contents/MacOS/helper" -qmldir="../../app"

Prepare certificates

This only needs to happen once per build machine, and prepares the certificates by requesting them from Apple.

  1. Install Xcode from the Mac App store

  2. Start Xcode

  3. Press Command-, (or in the menu bar click Xcode → Preferences)

  4. Go to Accounts tab

  5. Click the plus button and sign in

  6. Select the new account

  7. Select the correct team

  8. Click View Details

  9. Under "Signing Identities", find "Developer ID Application"

  10. Click Create

  11. Wait until the button disappears

  12. Done

Sign and DMG

  1. Open a terminal

  2. cd to the root directory of the FMW project

  3. Run the following bash script:

    #/bin/bash
    
    security -v unlock-keychain login.keychain
    
    # First sign all dynamic libraries (dylib's)
    cd "build/app/Fedora Media Writer.app"
    for dylib in $(find  . -name "*dylib")
    do
    codesign -s "Developer ID Application: Fedora Gilmore" -v $dylib
    done
    # Now sign framework bundles
    for framework in $(find  . -name "*framework")
    do
    codesign -s "Developer ID Application: Fedora Gilmore" -v $framework
    done
    
    # Sign the two binaries
    codesign -s "Developer ID Application: Fedora Gilmore" -v Contents/MacOS/helper
    codesign -s "Developer ID Application: Fedora Gilmore" -v "Contents/MacOS/Fedora Media Writer"
    
    # Sign the app bundle
    codesign -s "Developer ID Application: Fedora Gilmore" -v .
    
    # Create the dmg
    cd ..
    rm -f FedoraMediaWriter-osx-*.dmg
    
    hdiutil create -srcfolder "Fedora Media Writer.app"  -format UDCO -imagekey zlib-level=9 -scrub \
                   -volname FedoraMediaWriter-osx FedoraMediaWriter-osx-$(git  describe --tags).dmg

Account Email(OS X)

Account Holders(OS X)

  1. Primary: Dennis Gilmore(ausil)

  2. Backup: Kevin Fenzi(kevin)

  3. Manager/bill-payer: Paul Frields(pfrields)

Sync binaries to the web

copy both files to /srv/web/fmw on sundries01 create symlinks to the FedoraMediaWriter-win32-latest.exe and FedoraMediaWriter-osx-latest.dmg

Consider Before Running

Nothing yet.

Issue with signing

If the build is done but it is not signed then try editing the build.sh and add -askpass argument for all the osslsigncode commands and run the script, when it asks for the password you can enter the password that was used in creating .pvk file.