2.4 KiB
building signed updates
-
run
build\download_externals.cmd build\auto\build_openmpt_args.cmd vs2019 win10 Win32 Release 7z default build\auto\build_openmpt_args.cmd vs2019 win10 x64 Release 7z default build\auto\build_openmpt_args.cmd vs2019 win10 ARM Release 7z default build\auto\build_openmpt_args.cmd vs2019 win10 ARM64 Release 7z default build\auto\build_openmpt_args.cmd vs2019 win7 Win32 Release 7z default build\auto\build_openmpt_args.cmd vs2019 win7 x64 Release 7z default build\auto\build_openmpt_release_packages_multiarch.cmd build\auto\build_openmpt_update_information.cmd build\auto\package_openmpt_installer_multiarch_args.cmd vs2019 win10 Win32 Release 7z default
or just
build\auto\build_openmpt_release_manual.cmd
, which does all of the above in one go. -
results are found in
bin\openmpt-pkg.win-multi.tar
-
openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update.json
contains the update information that needs to be copied verbatim to the respective update channel on update.openmpt.org. This file is not signed as it itself is considered only informational and may be augmented with additional information. The files it links that contain actual code and automated update instructions are all signed. -
If the current user did not yet have a signing key on the local computer, a new key will be automatically generated and stored for future re-use in the encrypted Windows Key Store. The public key to verify the signatures is exported on each packaging of builds alongside the other build artefacts at
openmpt/pkg.win/${BRANCHVERSION}/OpenMPT-${VERSION}-update-publickey.jwk.json
. Any such new key should be added to the set of allowed update signing keys in the repository atbuild/signingkeys/
, as an individual file named appropriately to describe the key (in order to easier identify the individual keys), and as a key in the jwkset of allowed keys in the filebuild/signingkeys/signingkeys.jwkset.json
. A jwkset file consists of a JSON object containing a single array of all individual keys, named"keys"
. The updatedsigningkeys.jwkset.json
then needs to be copied to the https locations where the update check checks for the anchor keys. There is no separate key handling for test and release builds.