From 93c59ffbd94190ab244972beb63fbb364dda6171 Mon Sep 17 00:00:00 2001 From: Nikolaj Bjorner Date: Tue, 11 Dec 2018 15:48:33 -0800 Subject: [PATCH 1/2] update script to sign assembly Signed-off-by: Nikolaj Bjorner --- scripts/mk_util.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/mk_util.py b/scripts/mk_util.py index 83ae3d455..e4e8728fe 100644 --- a/scripts/mk_util.py +++ b/scripts/mk_util.py @@ -1867,6 +1867,7 @@ class DotNetCoreDLLComponent(Component): key = "" if not self.key_file is None: key = "%s" % self.key_file + key += "\ntrue" if VS_X64: platform = 'x64' From 02f01fcef1ac7f390bcd54dd9113a53e8e75bcfa Mon Sep 17 00:00:00 2001 From: Nikolaj Bjorner Date: Tue, 11 Dec 2018 17:31:09 -0800 Subject: [PATCH 2/2] adding esrp feature Signed-off-by: Nikolaj Bjorner --- scripts/mk_util.py | 78 +++++++++++++++++++++++++++++++++++++++--- scripts/mk_win_dist.py | 11 +++++- 2 files changed, 84 insertions(+), 5 deletions(-) diff --git a/scripts/mk_util.py b/scripts/mk_util.py index e4e8728fe..ad643c9ba 100644 --- a/scripts/mk_util.py +++ b/scripts/mk_util.py @@ -90,6 +90,7 @@ TRACE = False PYTHON_ENABLED=False DOTNET_ENABLED=False DOTNET_CORE_ENABLED=False +ESRP_SIGN=False DOTNET_KEY_FILE=getenv("Z3_DOTNET_KEY_FILE", None) JAVA_ENABLED=False ML_ENABLED=False @@ -706,14 +707,14 @@ def display_help(exit_code): # Parse configuration option for mk_make script def parse_options(): global VERBOSE, DEBUG_MODE, IS_WINDOWS, VS_X64, ONLY_MAKEFILES, SHOW_CPPS, VS_PROJ, TRACE, VS_PAR, VS_PAR_NUM - global DOTNET_ENABLED, DOTNET_CORE_ENABLED, DOTNET_KEY_FILE, JAVA_ENABLED, ML_ENABLED, JS_ENABLED, STATIC_LIB, STATIC_BIN, PREFIX, GMP, PYTHON_PACKAGE_DIR, GPROF, GIT_HASH, GIT_DESCRIBE, PYTHON_INSTALL_ENABLED, PYTHON_ENABLED + global DOTNET_ENABLED, DOTNET_CORE_ENABLED, DOTNET_KEY_FILE, JAVA_ENABLED, ML_ENABLED, JS_ENABLED, STATIC_LIB, STATIC_BIN, PREFIX, GMP, PYTHON_PACKAGE_DIR, GPROF, GIT_HASH, GIT_DESCRIBE, PYTHON_INSTALL_ENABLED, PYTHON_ENABLED, ESRP_SIGN global LINUX_X64, SLOW_OPTIMIZE, USE_OMP, LOG_SYNC global GUARD_CF, ALWAYS_DYNAMIC_BASE try: options, remainder = getopt.gnu_getopt(sys.argv[1:], 'b:df:sxhmcvtnp:gj', ['build=', 'debug', 'silent', 'x64', 'help', 'makefiles', 'showcpp', 'vsproj', 'guardcf', - 'trace', 'dotnet', 'dotnetcore', 'dotnet-key=', 'staticlib', 'prefix=', 'gmp', 'java', 'parallel=', 'gprof', 'js', + 'trace', 'dotnet', 'dotnetcore', 'dotnet-key=', 'esrp', 'staticlib', 'prefix=', 'gmp', 'java', 'parallel=', 'gprof', 'js', 'githash=', 'git-describe', 'x86', 'ml', 'optimize', 'noomp', 'pypkgdir=', 'python', 'staticbin', 'log-sync']) except: print("ERROR: Invalid command line option") @@ -751,6 +752,8 @@ def parse_options(): DOTNET_CORE_ENABLED = True elif opt in ('--dotnet-key'): DOTNET_KEY_FILE = arg + elif opt in ('--esrp'): + ESRP_SIGN = True elif opt in ('--staticlib'): STATIC_LIB = True elif opt in ('--staticbin'): @@ -1922,10 +1925,76 @@ class DotNetCoreDLLComponent(Component): dotnetCmdLine.extend(['-o', path]) MakeRuleCmd.write_cmd(out, ' '.join(dotnetCmdLine)) - - out.write('\n') + self.sign_esrp(out) + out.write('\n') out.write('%s: %s\n\n' % (self.name, dllfile)) + def sign_esrp(self, out): + global ESRP_SIGNx + print("esrp-sign", ESRP_SIGN) + if not ESRP_SIGN: + return + + import uuid + guid = str(uuid.uuid4()) + path = BUILD_DIR + assemblySignStr = """ +{ + "Version": "1.0.0", + "SignBatches" + : + [ + { + "SourceLocationType": "UNC", + "SourceRootDirectory": "c:\\ESRP\\input", + "DestinationLocationType": "UNC", + "DestinationRootDirectory": "c:\\ESRP\\output", + "SignRequestFiles": [ + { + "CustomerCorrelationId": "%s", + "SourceLocation": "%s\\libz3.dll", + "DestinationLocation": "%s\\libz3.dll" + }, + { + "CustomerCorrelationId": "%s", + "SourceLocation": "%s\\Microsoft.Z3.dll", + "DestinationLocation": "%s\\Microsoft.Z3.dll" + } + ], + "SigningInfo": { + "Operations": [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName": "Microsoft", + "OpusInfo": "http://www.microsoft.com", + "FileDigest": "/fd \"SHA256\"", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + } + } + ] +} """ % (guid, path, path, guid, path, path) + assemblySign = os.path.join('dotnet', 'assembly-sign-input.json') + with open(os.path.join(BUILD_DIR, assemblySign), 'w') as ous: + ous.write(assemblySignStr) + outputFile = os.path.join(BUILD_DIR, 'dotnet', "output.json") + esrpCmdLine = ["esrpclient.exe", "sign", "-a", "C:\\esrp\\config\\authorization.json", "-p", "C:\\esrp\\config\\policy.json", "-i", assemblySign, "-o", outputFile] + MakeRuleCmd.write_cmd(out, ' '.join(esrpCmdLine)) + def main_component(self): return is_dotnet_core_enabled() @@ -1934,6 +2003,7 @@ class DotNetCoreDLLComponent(Component): # TBD: is this required for dotnet core given that version numbers are in z3.csproj file? return True + def mk_win_dist(self, build_path, dist_path): if is_dotnet_core_enabled(): mk_dir(os.path.join(dist_path, INSTALL_BIN_DIR)) diff --git a/scripts/mk_win_dist.py b/scripts/mk_win_dist.py index bd3cad18a..2a88c625c 100644 --- a/scripts/mk_win_dist.py +++ b/scripts/mk_win_dist.py @@ -26,6 +26,7 @@ DIST_DIR='dist' FORCE_MK=False DOTNET_ENABLED=True DOTNET_CORE_ENABLED=False +ESRP_SIGN=False DOTNET_KEY_FILE=None JAVA_ENABLED=True GIT_HASH=False @@ -65,6 +66,7 @@ def display_help(): print(" --nodotnet do not include .NET bindings in the binary distribution files.") print(" --dotnetcore build for dotnet core.") print(" --dotnet-key= sign the .NET assembly with the private key in .") + print(" --esrp sign with esrp.") print(" --nojava do not include Java bindings in the binary distribution files.") print(" --nopython do not include Python bindings in the binary distribution files.") print(" --githash include git hash in the Zip file.") @@ -74,7 +76,7 @@ def display_help(): # Parse configuration option for mk_make script def parse_options(): - global FORCE_MK, JAVA_ENABLED, GIT_HASH, DOTNET_ENABLED, DOTNET_CORE_ENABLED, DOTNET_KEY_FILE, PYTHON_ENABLED, X86ONLY, X64ONLY + global FORCE_MK, JAVA_ENABLED, GIT_HASH, DOTNET_ENABLED, DOTNET_CORE_ENABLED, DOTNET_KEY_FILE, PYTHON_ENABLED, X86ONLY, X64ONLY, ESRP_SIGN path = BUILD_DIR options, remainder = getopt.gnu_getopt(sys.argv[1:], 'b:hsf', ['build=', 'help', @@ -84,6 +86,7 @@ def parse_options(): 'nodotnet', 'dotnetcore', 'dotnet-key=', + 'esrp', 'githash', 'nopython', 'x86-only', @@ -109,6 +112,8 @@ def parse_options(): PYTHON_ENABLED = False elif opt == '--dotnet-key': DOTNET_KEY_FILE = arg + elif opt == '--esrp': + ESRP_SIGN = True elif opt == '--nojava': JAVA_ENABLED = False elif opt == '--githash': @@ -142,6 +147,8 @@ def mk_build_dir(path, x64): opts.append('--java') if x64: opts.append('-x') + if ESRP_SIGN: + opts.append('--esrp') if GIT_HASH: opts.append('--githash=%s' % mk_util.git_hash()) opts.append('--git-describe') @@ -210,6 +217,7 @@ def get_z3_name(x64): return 'z3-%s.%s.%s-%s-win' % (major, minor, build, platform) def mk_dist_dir(x64): + global ESRP_SIGN if x64: platform = "x64" build_path = BUILD_X64_DIR @@ -218,6 +226,7 @@ def mk_dist_dir(x64): build_path = BUILD_X86_DIR dist_path = os.path.join(DIST_DIR, get_z3_name(x64)) mk_dir(dist_path) + mk_util.ESRP_SIGN = ESRP_SIGN if DOTNET_CORE_ENABLED: mk_util.DOTNET_CORE_ENABLED = True else: