build: make code signing method configurable

Existing code signing was hard-coded to use a locally installed
certificate (hardware security dongles included). However, signtool.exe
is extensible to allow any kind of digest signing plugin with /dlib and
/dmdf switches. This is used for cloud-based code signing (e.g.
Microsoft Trusted Signing).

Signed-off-by: Simon Rozman <[email protected]>

Author: rozmansi

build.bat

@@ -47,10 +47,10 @@ if exist .deps\prepared goto :render
 
 :sign
 	if exist .\sign.bat call .\sign.bat
-	if "%SigningCertificate%"=="" goto :success
+	if "%SigningProvider%"=="" goto :success
 	if "%TimestampServer%"=="" goto :success
 	echo [+] Signing
-	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d WireGuard x86\wireguard.exe x86\wg.exe amd64\wireguard.exe amd64\wg.exe arm64\wireguard.exe arm64\wg.exe || goto :error
+	signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d WireGuard x86\wireguard.exe x86\wg.exe amd64\wireguard.exe amd64\wg.exe arm64\wireguard.exe arm64\wg.exe || goto :error
 
 :success
 	echo [+] Success. Launch wireguard.exe.

docs/buildrun.md

@@ -60,7 +60,7 @@ C:\Projects\wireguard-windows\installer> build
 Add a file called `sign.bat` in the root of this repository with these contents, or similar:
 
 ```text
-set SigningCertificate=8BC932FDFF15B892E8364C49B383210810E4709D
+set SigningProvider=/sha1 8BC932FDFF15B892E8364C49B383210810E4709D
 set TimestampServer=http://timestamp.entrust.net/rfc3161ts2
 ```
 

embeddable-dll-service/build.bat

@@ -25,10 +25,10 @@ if exist ..\.deps\prepared goto :build
 
 :sign
 	if exist ..\sign.bat call ..\sign.bat
-	if "%SigningCertificate%"=="" goto :success
+	if "%SigningProvider%"=="" goto :success
 	if "%TimestampServer%"=="" goto :success
 	echo [+] Signing
-	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Tunnel" x86\tunnel.dll amd64\tunnel.dll arm64\tunnel.dll || goto :error
+	signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Tunnel" x86\tunnel.dll amd64\tunnel.dll arm64\tunnel.dll || goto :error
 
 :success
 	echo [+] Success

installer/build.bat

@@ -40,10 +40,10 @@ if exist .deps\prepared goto :build
 	call :msi x86 i686 x86 || goto :error
 	call :msi amd64 x86_64 x64 || goto :error
 	call :msi arm64 aarch64 arm64 || goto :error
-	if "%SigningCertificate%"=="" goto :success
+	if "%SigningProvider%"=="" goto :success
 	if "%TimestampServer%"=="" goto :success
 	echo [+] Signing
-	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error
+	signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup" "dist\wireguard-*-%WIREGUARD_VERSION%.msi" || goto :error
 
 :success
 	echo [+] Success.
@@ -61,10 +61,10 @@ if exist .deps\prepared goto :build
 	if not exist "%~1" mkdir "%~1"
 	echo [+] Compiling %1
 	%CC% %CFLAGS% %LDFLAGS% -o "%~1\customactions.dll" customactions.c %LDLIBS% || exit /b 1
-	if "%SigningCertificate%"=="" goto :skipsign
+	if "%SigningProvider%"=="" goto :skipsign
 	if "%TimestampServer%"=="" goto :skipsign
 	echo [+] Signing %1
-	signtool sign /sha1 "%SigningCertificate%" /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup Custom Actions" "%~1\customactions.dll" || exit /b 1
+	signtool sign %SigningProvider% /fd sha256 /tr "%TimestampServer%" /td sha256 /d "WireGuard Setup Custom Actions" "%~1\customactions.dll" || exit /b 1
 :skipsign
 	"%WIX%bin\candle" %WIX_CANDLE_FLAGS% -dWIREGUARD_PLATFORM="%~1" -out "%~1\wireguard.wixobj" -arch %3 wireguard.wxs || exit /b %errorlevel%
 	echo [+] Linking %1