k4rli/winamp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20d28e80a5c861a9d5f449ea911ab75b4f37ad0d
winamp/Src/external_dependencies/openmpt-trunk/doc/signing_releases.md
Jef 20d28e80a5 Initial community commit
2024-09-24 14:54:57 +02:00

44 lines
2.4 KiB
Markdown
Raw Blame History

building signed updates
=======================
* run
```
build\download_externals.cmd
build\auto\build_openmpt_args.cmd vs2019 win10 Win32 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 x64 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 ARM Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 ARM64 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win7 Win32 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win7 x64 Release 7z default
build\auto\build_openmpt_release_packages_multiarch.cmd
build\auto\build_openmpt_update_information.cmd
build\auto\package_openmpt_installer_multiarch_args.cmd vs2019 win10 Win32 Release 7z default
```
or just `build\auto\build_openmpt_release_manual.cmd`, which does all of the
above in one go.
* results are found in `bin\openmpt-pkg.win-multi.tar`
* `openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update.json` contains
the update information that needs to be copied verbatim to the respective
update channel on update.openmpt.org. This file is not signed as it itself
is considered only informational and may be augmented with additional
information. The files it links that contain actual code and automated
update instructions are all signed.
* If the current user did not yet have a signing key on the local computer, a
new key will be automatically generated and stored for future re-use in the
encrypted Windows Key Store. The public key to verify the signatures is
exported on each packaging of builds alongside the other build artefacts at
`openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update-publickey.jwk.json`
. Any such new key should be added to the set of allowed update signing keys
in the repository at `build/signingkeys/`, as an individual file named
appropriately to describe the key (in order to easier identify the
individual keys), and as a key in the jwkset of allowed keys in the file
`build/signingkeys/signingkeys.jwkset.json`. A jwkset file consists of a
JSON object containing a single array of all individual keys, named `"keys"`
. The updated `signingkeys.jwkset.json` then needs to be copied to the https
locations where the update check checks for the anchor keys. There is no
separate key handling for test and release builds.
Reference in New Issue View Git Blame Copy Permalink