Creating release build of Omaha

[Dmitry A. Shashkin]

Hello,

I'm looking for a correct way to drop my customized Omaha client into production, but the docs only describes how to make a dev build.

At this moment I figured out two things I need to do:

1. Make an opt-win build (obviously) by running hammer --mode=opt-win
2. Tell Omaha client that it is being build on build server by passing --build_server to hammer
   (This is required at least for being able to send crash dumps to the server, probably somewhere else)

Unfortunately, when trying to build Omaha by calling hammer --mode=opt-win --build_server, the build fails for the following reason:

scons: *** [scons-out\opt-win\obj\installers\payload.tar] Source `scons-out\opt-win\staging\{OmahaCompanyName}Update.exe' not found, needed by target `scons-out\opt-win\obj\installers\payload.tar'.

I compared the resulted build log with the one generated from hammer --mode=opt-win (without --build_server) and found that the usual build log has the following lines:

"C:\Program Files\Microsoft SDKs\Windows\v6.1\bin/signtool.exe" sign /f "C:\work\omaha/data/OmahaTestCert.pfx" /p "test" /t "http://timestamp.verisign.com/scripts/timestamp.dll" "scons-out\opt-win\obj\google_update\{OmahaCompanyName}Update_signed.exe"

Done Adding Additional Store

Successfully signed and timestamped: scons-out\opt-win\obj\google_update\{OmahaCompanyName}Update_signed.exe

Install file: "scons-out\opt-win\obj\google_update\{OmahaCompanyName}Update_signed.exe" as "scons-out\opt-win\staging\{OmahaCompanyName}Update.exe" 

while "build_server" log has no such lines.

I assume that signing executables with test certificate is disabled when building with --build_server, but how can I get my {OmahaCompanyName}Update.exe in the staging directory then?

What am I missing?

Also, do I need anything else to go to production? Do I need to use my own certificates? How can I pass them to hammer?

Thanks in advance.

[Sorin Jianu]

Does the opt build succeed with --mode-opt-win but without passing in the --build_server argument?

--
You received this message because you are subscribed to the Google Groups "Omaha Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to omaha-discus...@googlegroups.com.
To post to this group, send email to omaha-...@googlegroups.com.
Visit this group at http://groups.google.com/group/omaha-discuss.
For more options, visit https://groups.google.com/d/optout.

[Dmitry A. Shashkin]

Yes, hammer --mode=opt-win build succeeds.

The only changes I made from original code are here: https://github.com/Crystalnix/omaha/commit/4cd91bcf660652ce7c89072241a04d8d3acbc386

But I doubt it affects anything related --build_server

[Dmitry A. Shashkin]

Hi Sorin,

I found the reason of this problem inside google_update/build.scons file.

As said at the top comment, for official builds it copies the "saved constant shell" to the output directory instead of copying the shell it just built.

"Saved constant shell" for opt-win build is google_update/bin/opt/GoogleUpdate.exe. But when I applied customization I renamed it in the code to {OmahaCompanyName}Update.exe so the script can not find it.

After renaming the "saved constant shell" file to {OmahaCompanyName}Update.exe that build error is gone.

However, as said in google_update/bin/Readme.txt, this shell can only be used with goopdate.dll files that have been signed with the real certificate.

And here is the problem with the customized Omaha: it don't have goopdate.dll because it was renamed it as a part of customization.

So here are the questions that I have now:

1. I think that the correct way to handle this is to create my own "saved constant shell", so what do I need to do that? Can it be build with hammer or should I build it separately? Do I need to sign it manually?
2. What certificate do I need to use for this? I assume I need to have my own certificate, am I right? Do I need to use it for both constant shell and my custom dll? (sorry if it's dumb questions, I'm just not familiar with all these certificate-related stuff)
3. When building non-customized version of Omaha with --build_server, it fails later on with
   
   scons: *** [scons-out\opt-win\clickonce_deployment\clickonce_bootstrap.exe.manifest] Error 1
   This certificate cannot be used for signing - "cafd39335d6e76f0e26d81296e7cbbfbdf16a720"
   
   I suppose it's because I don't have the real Google's certificate, so how can I make it to sign binaries with my own certificate? It looks like the certificate-related --authenticode_file and --authenticode_password switches are ignored when using --build_server. I see there is _BUILD_SERVER_CERTIFICATE_HASH constant in main.scons (its value is in the error message above) but I can not find anything indicating the certificate file itself.
   

Could you please help me with that?

Thanks.

[Dmitry A. Shashkin]

Here is one possible solution I have in my mind:

1. Update build scripts to not ignore --authenticode_file and --authenticode_password switches when --build_server is set.
2. Do not use saved constant shell at all but always use the built one instead.

In this case the built version of my customized Omaha will be marked as OFFICIAL_BUILD and also can use my own certificate for all its components.

Why the original Omaha is using saved constant shell? Is there any advantages? Or will there be any problems with using built shell instead?