Windows licensing means we can’t just simply provide a build vm via vagrant as we’ve done for linux. So there’s more hoops to jump through here, but it’s as automated as possible.

Build Machine

You need a Windows machine or VM. Then checkout the grr source and run this script, note that the 64bit python should go in C:\Python27 and 32bit in C:\Python27_32:

vagrant/windows/install_for_build.bat

Now you need to make sdists from the GRR source (which requires a protobuf compiler) and get them to the windows build machines. We do this on linux with this script (note you’ll need to use a different cloud storage bucket name):

scripts/make_sdist_for_templates.sh

and then we download and build everything on windows with this:

vagrant/windows/build_windows_templates.bat

Download the built templates and components from cloud storage to your linux vm for repacking. Put them under grr/executables/windows/templates.

Setting Up For Windows EXE Signing

To make automation easier we now sign the windows installer executable on linux using osslsigncode. To set up for signing, install osslsigncode:

sudo apt-get install libcurl4-openssl-dev
wget http://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz
tar zxvf osslsigncode-1.7.1.tar.gz
cd osslsigncode-1.7.1/
./configure
make
sudo make install

Get your signing key into the .pvk and .spc format, example commands below (will vary based on who you buy the signing cert from):

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
cat Thawte_Primary_Root_CA_Cross.cer >> cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
shred -u key.pem

Link to wherever your key lives. This allows you to keep it on removable media and have different people use different keys with the same grr config.

sudo ln -s /path/to/authenticode.pvk /etc/alternatives/grr_windows_signing_key
sudo ln -s /path/to/authenticode.spc /etc/alternatives/grr_windows_signing_cert