From 180d9bc8df469fce926f2e12d1836bd33755faed Mon Sep 17 00:00:00 2001
From: Julien Wadel <julien.wadel@belledonne-communications.com>
Date: Fri, 31 Mar 2023 15:27:07 +0200
Subject: [PATCH] Code signing by specifying hash.

---
 .gitlab-ci-files/job-windows-desktop.yml                  | 6 +++---
 .../cmake_builder/linphone_package/CMakeLists.txt         | 1 +
 .../cmake_builder/linphone_package/packaging.cmake.in     | 4 ++--
 linphone-app/tools/sign_package.bat                       | 8 ++++----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.gitlab-ci-files/job-windows-desktop.yml b/.gitlab-ci-files/job-windows-desktop.yml
index 220422726..8a48f5afe 100644
--- a/.gitlab-ci-files/job-windows-desktop.yml
+++ b/.gitlab-ci-files/job-windows-desktop.yml
@@ -10,7 +10,7 @@
     - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCKER_UPDATE == null && $SKIP_WINDOWS == null
     - if: $CI_PIPELINE_SOURCE == "schedule" && $DOCKER_UPDATE == null && $SKIP_WINDOWS == null
   variables:
-    CMAKE_OPTIONS: -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DENABLE_G729=ON -DENABLE_PQCRYPTO=ON
+    CMAKE_OPTIONS: -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DLINPHONE_WINDOWS_SIGN_HASH=$WINDOWS_SIGN_HASH -DENABLE_G729=ON -DENABLE_PQCRYPTO=ON
     LINPHONESDK_PLATFORM: Desktop
     OUTPUT_ZIP_FOLDER: win64
     MINGW_TYPE: mingw64
@@ -100,7 +100,7 @@
 .windows-vs2019-msvc:
   extends: .windows-vs2019
   variables:
-    CMAKE_OPTIONS: -DENABLE_UNIT_TESTS=ON -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DENABLE_G729=ON -DENABLE_PQCRYPTO=ON
+    CMAKE_OPTIONS: -DENABLE_UNIT_TESTS=ON -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DLINPHONE_WINDOWS_SIGN_HASH=$WINDOWS_SIGN_HASH -DENABLE_G729=ON -DENABLE_PQCRYPTO=ON
     LINPHONESDK_PLATFORM: Desktop
     CMAKE_GENERATOR: "Visual Studio 16 2019"
     BUILD_TARGET: install
@@ -156,7 +156,7 @@ vs2019-win64-package:
     - if: $PACKAGE_WINDOWS
     - if: $DEPLOY_WINDOWS
   variables:
-    CMAKE_OPTIONS: -DENABLE_APP_PACKAGING=YES -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DENABLE_G729=ON -DLINPHONE_SDK_MAKE_RELEASE_FILE_URL=$MAKE_RELEASE_FILE_URL/$WINDOWS_PLATFORM/$APP_FOLDER -DENABLE_PQCRYPTO=ON
+    CMAKE_OPTIONS: -DENABLE_APP_PACKAGING=YES -DLINPHONE_WINDOWS_SIGN_TOOL=$WINDOWS_SIGN_TOOL -DLINPHONE_WINDOWS_SIGN_TIMESTAMP_URL=$WINDOWS_SIGN_TIMESTAMP_URL -DLINPHONE_WINDOWS_SIGN_HASH=$WINDOWS_SIGN_HASH -DENABLE_G729=ON -DLINPHONE_SDK_MAKE_RELEASE_FILE_URL=$MAKE_RELEASE_FILE_URL/$WINDOWS_PLATFORM/$APP_FOLDER -DENABLE_PQCRYPTO=ON
 
   
 #################################################
diff --git a/linphone-app/cmake_builder/linphone_package/CMakeLists.txt b/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
index 898459194..a2f6a88fd 100644
--- a/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
+++ b/linphone-app/cmake_builder/linphone_package/CMakeLists.txt
@@ -440,6 +440,7 @@ if(${ENABLE_APP_PACKAGING})
 		if(LINPHONE_WINDOWS_SIGN_TOOL AND LINPHONE_WINDOWS_SIGN_TIMESTAMP_URL)
 			find_program(SIGNTOOL ${LINPHONE_WINDOWS_SIGN_TOOL})
 			set(TIMESTAMP_URL ${LINPHONE_WINDOWS_SIGN_TIMESTAMP_URL})
+			set(SIGN_HASH ${LINPHONE_WINDOWS_SIGN_HASH})
 			if (SIGNTOOL)
 				set(SIGNTOOL_COMMAND ${SIGNTOOL})
 				message("Found requested signtool")
diff --git a/linphone-app/cmake_builder/linphone_package/packaging.cmake.in b/linphone-app/cmake_builder/linphone_package/packaging.cmake.in
index fa140bb9a..58fb129b7 100644
--- a/linphone-app/cmake_builder/linphone_package/packaging.cmake.in
+++ b/linphone-app/cmake_builder/linphone_package/packaging.cmake.in
@@ -71,12 +71,12 @@ if (NOT "${CMAKE_INSTALL_PREFIX}" MATCHES .*/_CPack_Packages/.*)
   if (@PERFORM_SIGNING@)
     if(@PASSPHRASE_FILE@)
         execute_process(
-            COMMAND "@CMAKE_CURRENT_SOURCE_DIR@/../../tools/sign_package.bat" "@PASSPHRASE_FILE@" "@SIGNTOOL_COMMAND@" "@PFX_FILE@" "@TIMESTAMP_URL@" @CPACK_PACKAGE_FILE_NAME@.@PACKAGE_EXT@
+            COMMAND "@CMAKE_CURRENT_SOURCE_DIR@/../../tools/sign_package.bat" 1 "@PASSPHRASE_FILE@" "@SIGNTOOL_COMMAND@" "@PFX_FILE@" "@TIMESTAMP_URL@" @CPACK_PACKAGE_FILE_NAME@.@PACKAGE_EXT@
             RESULT_VARIABLE SIGNING_RESULT WORKING_DIRECTORY "@CPACK_PACKAGE_DIRECTORY@"
         )
     else()
         execute_process(
-            COMMAND "@CMAKE_CURRENT_SOURCE_DIR@/../../tools/sign_package.bat" "@SIGNTOOL_COMMAND@" "@TIMESTAMP_URL@" @CPACK_PACKAGE_FILE_NAME@.@PACKAGE_EXT@
+            COMMAND "@CMAKE_CURRENT_SOURCE_DIR@/../../tools/sign_package.bat" 2 "@SIGNTOOL_COMMAND@" "@TIMESTAMP_URL@" @SIGN_HASH@ @CPACK_PACKAGE_FILE_NAME@.@PACKAGE_EXT@
             RESULT_VARIABLE SIGNING_RESULT WORKING_DIRECTORY "@CPACK_PACKAGE_DIRECTORY@"
         )
     endif()
diff --git a/linphone-app/tools/sign_package.bat b/linphone-app/tools/sign_package.bat
index b118a1f9f..c1ddbb626 100644
--- a/linphone-app/tools/sign_package.bat
+++ b/linphone-app/tools/sign_package.bat
@@ -1,10 +1,10 @@
 @echo off
-if [%5]==[] goto simple
-set /p passphrase=<%1
-%2 sign /f %3 /fd SHA256 /p %passphrase% /t %4 %5
+if [%1]==[2] goto simple
+set /p passphrase=<%2
+%3 sign /f %4 /fd SHA256 /p %passphrase% /t %5 %6
 goto :eof
 
 :simple
-%1 sign /fd SHA256 /t %2 %3
+%2 sign /fd SHA256 /t %3 /sha1 %4 %5
 
 :eof