Enable signing Windows builds with SHA1 environment variable (GH-11279)

miss-islington · zooba · web-flow · commit dd3b04ea8ce2 · 2018-12-21T14:04:18.000-08:00
(cherry picked from commit d3bbc52) Co-authored-by: Steve Dower <steve.dower@microsoft.com>
diff --git a/PCbuild/pyproject.props b/PCbuild/pyproject.props
@@ -185,10 +185,11 @@ public override bool Execute() {
     <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86</SdkBinPath>
     <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\</SdkBinPath>
     <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
+    <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /q /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
     <_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
   </PropertyGroup>
-  
-  <Target Name="_SignBuild" AfterTargets="AfterBuild" Condition="'$(SigningCertificate)' != '' and $(SupportSigning)">
+
+  <Target Name="_SignBuild" AfterTargets="AfterBuild" Condition="'$(_SignCommand)' != '' and $(SupportSigning)">
     <Error Text="Unable to locate signtool.exe. Set /p:SignToolPath and rebuild" Condition="'$(_SignCommand)' == ''" />
     <Exec Command='$(_SignCommand) "$(TargetPath)" || $(_SignCommand) "$(TargetPath)" || $(_SignCommand) "$(TargetPath)"' ContinueOnError="false" />
   </Target>
diff --git a/Tools/msi/sdktools.psm1 b/Tools/msi/sdktools.psm1
@@ -21,6 +21,9 @@ function Sign-File {
             $description = "Python";
         }
     }
+    if (-not $certsha1) {
+        $certsha1 = $env:SigningCertificateSha1;
+    }
     if (-not $certname) {
         $certname = $env:SigningCertificate;
     }
@@ -32,7 +35,7 @@ function Sign-File {
         if ($certsha1) {
             SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
         } elseif ($certname) {
-            SignTool sign /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
+            SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
         } elseif ($certfile) {
             SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
         } else {

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ function Sign-File {`
`21`	`21`	`$description = "Python";`
`22`	`22`	`}`
`23`	`23`	`}`
	`24`	`+ if (-not $certsha1) {`
	`25`	`+ $certsha1 = $env:SigningCertificateSha1;`
	`26`	`+ }`
`24`	`27`	`if (-not $certname) {`
`25`	`28`	`$certname = $env:SigningCertificate;`
`26`	`29`	`}`
`@@ -32,7 +35,7 @@ function Sign-File {`
`32`	`35`	`if ($certsha1) {`
`33`	`36`	`SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a`
`34`	`37`	`} elseif ($certname) {`
`35`		`- SignTool sign /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a`
	`38`	`+ SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a`
`36`	`39`	`} elseif ($certfile) {`
`37`	`40`	`SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a`
`38`	`41`	`} else {`