Maniphest T8268

Gpg4win: Add signed VERSION file
Closed, InvalidPublic
Actions

Assigned To
None
Authored By
ikloecker
Mon, May 18, 11:00 AM
Tags
Subscribers
ikloecker
m.eik
werner

Description

We want to add a signed VERSION file to Gpg4win so that:

  1. There is a VERSION file in the installation folder which identifies the installed version.
  2. There is a VERSION.sig file so that Kleopatra can always verify the integrity of the VERSION file.

Until Gpg4win 5.0.2, NSIS generated the VERSION file on-the-fly while generating the installer. This approach doesn't work well if we want to sign this VERSION file. I have removed the generation of this VERSION file with rWc54cf32a7beb: nsis: Don't install unsigned VERSION file.

Instead we could use the VERSION file that's created by gpg4win's configure.ac script and that contains the version number and the commit hash. I'm not sure when/how the signature should be added.

Related Objects

Event Timeline

ikloecker created this task.Mon, May 18, 11:00 AM
ikloecker added a comment.Mon, May 18, 12:25 PM

I don't think we need this. I will add a configure option to Kleopatra to control whether a VERSION file is read and verified or not. For Gpg4win this option will be off and for VSD and GPD it will be on.

werner added a comment.Mon, May 18, 2:08 PM

For the records: For GPD and VSD we create an MSI installer after the the NSIS installer has been build (it is not actually used). This is always a second build step which requires non-public build configuration files to create cusomer specific configuraions. At that MSI step we have to sign things anyway.

ikloecker closed this task as Invalid.Mon, May 18, 4:57 PM
ikloecker removed a project: gpd5x.

I'm closing this ticket again. I've opened it a bit prematurely.

Kleopatra of GPD and Kleopatra of VSD now require a signed VERSION file while Kleopatra from Gpg4win ignores the (unsigned) VERSION file that's included in Gpg4win. See {T8245}.