random-mirrors
/
winamp
mirror of https://github.com/WinampDesktop/winamp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
winamp/Src/external_dependencies/openmpt-trunk/doc/signing_releases.md

2.4 KiB
Raw Blame History

building signed updates

  • run

    build\download_externals.cmd
build\auto\build_openmpt_args.cmd vs2019 win10 Win32 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 x64   Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 ARM   Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win10 ARM64 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win7  Win32 Release 7z default
build\auto\build_openmpt_args.cmd vs2019 win7  x64   Release 7z default
build\auto\build_openmpt_release_packages_multiarch.cmd
build\auto\build_openmpt_update_information.cmd
build\auto\package_openmpt_installer_multiarch_args.cmd vs2019 win10 Win32 Release 7z default

    or just build\auto\build_openmpt_release_manual.cmd, which does all of the above in one go.

  • results are found in bin\openmpt-pkg.win-multi.tar

  • openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update.json contains the update information that needs to be copied verbatim to the respective update channel on update.openmpt.org. This file is not signed as it itself is considered only informational and may be augmented with additional information. The files it links that contain actual code and automated update instructions are all signed.

  • If the current user did not yet have a signing key on the local computer, a new key will be automatically generated and stored for future re-use in the encrypted Windows Key Store. The public key to verify the signatures is exported on each packaging of builds alongside the other build artefacts at openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update-publickey.jwk.json . Any such new key should be added to the set of allowed update signing keys in the repository at build/signingkeys/, as an individual file named appropriately to describe the key (in order to easier identify the individual keys), and as a key in the jwkset of allowed keys in the file build/signingkeys/signingkeys.jwkset.json. A jwkset file consists of a JSON object containing a single array of all individual keys, named "keys" . The updated signingkeys.jwkset.json then needs to be copied to the https locations where the update check checks for the anchor keys. There is no separate key handling for test and release builds.