annotate deploy/win64/build-and-package.bat @ 2265:d33dff02b39b sandbox-notarize

Work on sandboxing (possibly) and using the hardened runtime for notarization. Supply appropriate bundle ID for helpers as well as main application, and request inherited sandbox entitlements. Currently works with sandboxing (apparently) but not yet with the hardened runtime, where we can't load plugins signed by third parties even with the com.apple.security.cs.disable-library-validation entitlement because their team IDs don't match the host. Possibly that exception is supposed to be requested some other way?
author Chris Cannam
date Thu, 25 Apr 2019 16:46:02 +0100
parents 3158bb4e2ce9
children f66d46032782
rev   line source
Chris@1839 1 rem Run this from within the top-level SV dir: deploy\win64\build-and-package.bat
Chris@1827 2
Chris@1827 3 set STARTPWD=%CD%
Chris@1827 4
Chris@1827 5 if not exist "C:\Program Files (x86)\SMLNJ\bin" (
Chris@1827 6 @ echo Could not find SML/NJ, required for Repoint
Chris@1841 7 @ exit /b 2
Chris@1827 8 )
Chris@1827 9
Chris@1827 10 if not exist "C:\Program Files (x86)\WiX Toolset v3.11\bin" (
Chris@1827 11 @ echo Could not find WiX Toolset
Chris@1841 12 @ exit /b 2
Chris@1827 13 )
Chris@1827 14
Chris@2086 15 set ORIGINALPATH=%PATH%
Chris@2086 16 set PATH=C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin;%PATH%
Chris@2086 17 set NAME=Open Source Developer, Christopher Cannam
Chris@2086 18
Chris@2086 19 set ARG=%1
Chris@2086 20 shift
Chris@2086 21 if "%ARG%" == "sign" (
Chris@2086 22 @ echo NOTE: sign option specified, will attempt to codesign exe and msi
Chris@2086 23 @ echo NOTE: starting by codesigning an unrelated executable, so we know
Chris@2086 24 @ echo NOTE: whether it'll work before doing the entire build
Chris@2086 25 copy sv-dependency-builds\win64-msvc\bin\capnp.exe signtest.exe
Chris@2086 26 signtool sign /v /n "%NAME%" /t http://time.certum.pl /fd sha1 signtest.exe
Chris@2114 27 if errorlevel 1 exit /b %errorlevel%
Chris@2086 28 signtool verify /pa signtest.exe
Chris@2114 29 if errorlevel 1 exit /b %errorlevel%
Chris@2086 30 del signtest.exe
Chris@2086 31 @ echo NOTE: success
Chris@2086 32 ) else (
Chris@2086 33 @ echo NOTE: sign option not specified, will not codesign anything
Chris@2086 34 )
Chris@2086 35
Chris@2086 36 @echo ""
Chris@1839 37 @echo Rebuilding 32-bit
Chris@1827 38
Chris@1827 39 cd %STARTPWD%
Chris@1841 40 del /q /s build_win32
Chris@2201 41 call .\deploy\win32\build-32.bat
Chris@1839 42 if %errorlevel% neq 0 exit /b %errorlevel%
Chris@1827 43
Chris@2086 44 if "%ARG%" == "sign" (
Chris@2086 45 @echo Signing 32-bit executables and libraries
Chris@2086 46 signtool sign /v /n "%NAME%" /t http://time.certum.pl /fd sha1 build_win32\release\*.exe build_win32\release\*.dll
Chris@2086 47 )
Chris@2086 48
Chris@1839 49 @echo Rebuilding 64-bit
Chris@1827 50
Chris@1839 51 cd %STARTPWD%
Chris@1841 52 del /q /s build_win64
Chris@1839 53 call .\deploy\win64\build-64.bat
Chris@1839 54 if %errorlevel% neq 0 exit /b %errorlevel%
Chris@1827 55
Chris@2086 56 if "%ARG%" == "sign" (
Chris@2086 57 @echo Signing 64-bit executables and libraries
Chris@2086 58 signtool sign /v /n "%NAME%" /t http://time.certum.pl /fd sha1 build_win32\release\*.exe build_win64\release\*.dll
Chris@2086 59 )
Chris@2086 60
Chris@1839 61 set PATH=%PATH%;"C:\Program Files (x86)\WiX Toolset v3.11\bin"
Chris@1827 62
Chris@1839 63 @echo Packaging 32-bit
Chris@1827 64
Chris@1839 65 cd %STARTPWD%\build_win32
Chris@1827 66 del sonic-visualiser.msi
Chris@1827 67 candle -v ..\deploy\win32\sonic-visualiser.wxs
Chris@1827 68 light -b . -ext WixUIExtension -ext WixUtilExtension -v sonic-visualiser.wixobj
Chris@1839 69 if %errorlevel% neq 0 exit /b %errorlevel%
Chris@1827 70 del sonic-visualiser.wixobj
Chris@1827 71 del sonic-visualiser.wixpdb
Chris@1827 72
Chris@2086 73 if "%ARG%" == "sign" (
Chris@2086 74 @echo Signing 32-bit package
Chris@2086 75 signtool sign /v /n "%NAME%" /t http://time.certum.pl /fd sha1 sonic-visualiser.msi
Chris@2086 76 signtool verify /pa sonic-visualiser.msi
Chris@2086 77 )
Chris@2086 78
Chris@1839 79 @echo Packaging 64-bit
Chris@1827 80
Chris@1839 81 cd %STARTPWD%\build_win64
Chris@1827 82 del sonic-visualiser.msi
Chris@1827 83 candle -v ..\deploy\win64\sonic-visualiser.wxs
Chris@1827 84 light -b . -ext WixUIExtension -ext WixUtilExtension -v sonic-visualiser.wixobj
Chris@1839 85 if %errorlevel% neq 0 exit /b %errorlevel%
Chris@1827 86 del sonic-visualiser.wixobj
Chris@1827 87 del sonic-visualiser.wixpdb
Chris@1839 88
Chris@2086 89 if "%ARG%" == "sign" (
Chris@2086 90 @echo Signing 64-bit package
Chris@2086 91 signtool sign /v /n "%NAME%" /t http://time.certum.pl /fd sha1 sonic-visualiser.msi
Chris@2086 92 signtool verify /pa sonic-visualiser.msi
Chris@2086 93 )
Chris@2086 94
Chris@2086 95 set PATH=%ORIGINALPATH%
Chris@2086 96
Chris@1839 97 @echo Done
Chris@1839 98