From da0f9717be586f0c940a817505303d8bfc8953c2 Mon Sep 17 00:00:00 2001
From: Angus Gratton <angus@espressif.com>
Date: Mon, 1 Oct 2018 16:22:07 +1000
Subject: [PATCH] Sign IDF Tools installer with 'osslsigncode', update to V1.2

Uninstaller is still unsigned, as currently building and signing in 'wine'
and running Linux osslsigncode inside Inno Setup inside wine is awkward.

Closes https://github.com/espressif/esp-idf/issues/1909
TW20810
---
 .gitignore                                  |  1 +
 docs/en/get-started-cmake/windows-setup.rst |  2 +-
 tools/windows/tool_setup/build_installer.sh | 67 +++++++++++++++------
 tools/windows/tool_setup/idf_tool_setup.iss |  2 +-
 4 files changed, 53 insertions(+), 19 deletions(-)

diff --git a/.gitignore b/.gitignore
index 3124eb003a..6982d5fc00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -61,6 +61,7 @@ coverage_report/
 tools/windows/tool_setup/.*
 tools/windows/tool_setup/input
 tools/windows/tool_setup/dl
+tools/windows/tool_setup/keys
 tools/windows/tool_setup/Output
 
 test_multi_heap_host
diff --git a/docs/en/get-started-cmake/windows-setup.rst b/docs/en/get-started-cmake/windows-setup.rst
index c7393c8b91..ab1db32dbc 100644
--- a/docs/en/get-started-cmake/windows-setup.rst
+++ b/docs/en/get-started-cmake/windows-setup.rst
@@ -22,7 +22,7 @@ ESP-IDF Tools Installer
 
 The easiest way to install ESP-IDF's prerequisites is to download the ESP-IDF Tools installer from this URL:
 
-https://dl.espressif.com/dl/esp-idf-tools-setup-1.1.exe
+https://dl.espressif.com/dl/esp-idf-tools-setup-1.2.exe
 
 The installer will automatically install the ESP32 Xtensa gcc toolchain, Ninja_ build tool, and a configuration tool called mconf-idf_. The installer can also download and run installers for CMake_ and Python_ 2.7 if these are not already installed on the computer.
 
diff --git a/tools/windows/tool_setup/build_installer.sh b/tools/windows/tool_setup/build_installer.sh
index 3673d6a245..270fa8efd9 100755
--- a/tools/windows/tool_setup/build_installer.sh
+++ b/tools/windows/tool_setup/build_installer.sh
@@ -10,25 +10,58 @@
 # - Runs ISCC under wine to compile the installer itself
 set -e
 
-mkdir -p dl input
+if [ -z "${KEYPASSWORD}" ]; then
+    echo "KEYPASSWORD should be set"
+    exit 1
+fi
 
-cd `dirname $0`
-pushd dl
-wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
-wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
-wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
-wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
-wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
-popd
+if [ "$1" != "--no-download" ]; then
 
-rm -rf input/*
-pushd input
-unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
-unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
-unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
-unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
-unzip ../dl/ninja-win.zip
-popd
+    mkdir -p dl input
+
+    cd `dirname $0`
+    pushd dl
+    wget --continue "https://dl.espressif.com/dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip"
+    wget --continue "https://github.com/espressif/binutils-esp32ulp/releases/download/v2.28.51-esp32ulp-20180809/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip"
+    wget --continue "https://github.com/espressif/openocd-esp32/releases/download/v0.10.0-esp32-20180920/openocd-esp32-win32-0.10.0-esp32-20180920.zip"
+    wget --continue "https://github.com/espressif/kconfig-frontends/releases/download/v4.6.0.0-idf-20180525/mconf-v4.6.0.0-idf-20180525-win32.zip"
+    wget --continue "https://github.com/ninja-build/ninja/releases/download/v1.8.2/ninja-win.zip"
+    popd
+
+    rm -rf input/*
+    pushd input
+    unzip ../dl/xtensa-esp32-elf-win32-1.22.0-80-g6c4433a-5.2.0.zip
+    unzip ../dl/mconf-v4.6.0.0-idf-20180525-win32.zip
+    unzip ../dl/binutils-esp32ulp-win32-2.28.51-esp32ulp-20180809.zip
+    unzip ../dl/openocd-esp32-win32-0.10.0-esp32-20180920.zip
+    unzip ../dl/ninja-win.zip
+    popd
+fi
 
 wine "C:\Program Files\Inno Setup 5\ISCC.exe" "`winepath -w ./idf_tool_setup.iss`"
 
+# sign the installer with osslsigncode, parsing the version number out of the
+# installer config
+
+VERSION=`grep "^AppVersion=" idf_tool_setup.iss | cut -d'=' -f2`
+
+echo "Signing installer..."
+
+# Note: The cert chain passed to -certs needs to contain the intermediate
+# cert(s) as well, appended after the code signing cert, or Windows may see
+# it as "Unknown Publisher"
+#
+# See https://stackoverflow.com/a/52637050 for full details
+#
+umask 770  # for the process substitution FIFO
+
+osslsigncode -certs ./keys/certchain.pem -key ./keys/key.pem \
+             -readpass <(echo "$KEYPASSWORD") \
+             -in Output/esp-idf-tools-setup-unsigned.exe \
+             -out Output/esp-idf-tools-setup-${VERSION}.exe \
+             -h sha256 \
+             -n "Espressif Systems (Shanghai) Pte. Ltd." \
+             -i "https://www.espressif.com/" \
+             -ts http://timestamp.digicert.com
+
+chmod 644 Output/esp-idf-tools-setup-${VERSION}.exe  # make up for the umask
diff --git a/tools/windows/tool_setup/idf_tool_setup.iss b/tools/windows/tool_setup/idf_tool_setup.iss
index a98bd40341..5ca48ab477 100644
--- a/tools/windows/tool_setup/idf_tool_setup.iss
+++ b/tools/windows/tool_setup/idf_tool_setup.iss
@@ -2,8 +2,8 @@
 
 [Setup]
 AppName=ESP-IDF Tools
-OutputBaseFilename=esp-idf-tools-setup-1.1
 AppVersion=1.2
+OutputBaseFilename=esp-idf-tools-setup-unsigned
 
 DefaultDirName={pf}\Espressif\ESP-IDF Tools
 DefaultGroupName=ESP-IDF Tools