speedo: Now build for W32 with ntbtls support.
[gnupg.git] / build-aux / speedo.mk
index 63d508d..c799863 100644 (file)
@@ -52,16 +52,19 @@ SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
 help:
        @echo 'usage: make -f speedo.mk TARGET'
        @echo '       with TARGET being one of:'
-       @echo '  help           This help'
-       @echo '  native         Native build of the GnuPG core'
-       @echo '  native-gui     Ditto but with pinentry and GPA'
-       @echo '  w32-installer  Build a Windows installer'
-       @echo '  w32-source     Pack a source archive'
+       @echo '  help               This help'
+       @echo '  native             Native build of the GnuPG core'
+       @echo '  native-gui         Ditto but with pinentry and GPA'
+       @echo '  w32-installer      Build a Windows installer'
+       @echo '  w32-source         Pack a source archive'
+       @echo '  w32-release        Build a Windows release'
+       @echo '  w32-sign-installer Sign the installer'
        @echo
-       @echo 'You may append INSTALL_REFIX=<dir> for native builds.'
+       @echo 'You may append INSTALL_PREFIX=<dir> for native builds.'
        @echo 'Prepend TARGET with "git-" to build from GIT repos.'
        @echo 'Prepend TARGET with "this-" to build from the source tarball.'
-
+       @echo 'Use SELFCHECK=0 for a non-released version.'
+       @echo 'Use CUSTOM_SWDB=1 for an already downloaded swdb.lst.'
 
 SPEEDOMAKE := $(MAKE) -f $(SPEEDO_MK) UPD_SWDB=1
 
@@ -84,22 +87,37 @@ this-native-gui: check-tools
        $(SPEEDOMAKE) TARGETOS=native WHAT=this    WITH_GUI=1 all
 
 w32-installer: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=release WITH_GUI=1 installer
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=release WITH_GUI=0 installer
 
 git-w32-installer: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=git     WITH_GUI=1 installer
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=git     WITH_GUI=0 installer
 
 this-w32-installer: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=this    WITH_GUI=1 installer
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=this    WITH_GUI=0 \
+                                                  CUSTOM_SWDB=1 installer
 
 w32-source: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=release WITH_GUI=1 dist-source
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=release WITH_GUI=0 dist-source
 
 git-w32-source: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=git     WITH_GUI=1 dist-source
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=git     WITH_GUI=0 dist-source
 
 this-w32-source: check-tools
-       $(SPEEDOMAKE) TARGETOS=w32    WHAT=git     WITH_GUI=1 dist-source
+       $(SPEEDOMAKE) TARGETOS=w32    WHAT=this    WITH_GUI=0 \
+                                                  CUSTOM_SWDB=1 dist-source
+
+w32-release: check-tools
+       $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+                                                   installer-from-source
+
+w32-sign-installer: check-tools
+       $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+                                                   sign-installer
+
+w32-release-offline: check-tools
+       $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+         CUSTOM_SWDB=1 pkgrep=${HOME}/b pkg10rep=${HOME}/b  \
+         installer-from-source
 
 
 # Set this to "git" to build from git,
@@ -113,9 +131,15 @@ TARGETOS=
 # Set to 1 to build the GUI tools
 WITH_GUI=0
 
+# Set to 1 to use a pre-installed swdb.lst instead of the online version.
+CUSTOM_SWDB=0
+
 # Set to 1 to really download the swdb.
 UPD_SWDB=0
 
+# Set to 0 to skip the GnuPG version self-check
+SELFCHECK=1
+
 # Set to the location of the directory with tarballs of
 # external packages.
 TARBALLS=$(shell pwd)/../tarballs
@@ -129,6 +153,9 @@ INST_NAME=gnupg-w32
 # Use this to override the installaion directory for native builds.
 INSTALL_PREFIX=none
 
+# The Authenticode key used to sign the Windows installer
+AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
+
 
 # Directory names.
 # They must be absolute, as we switch directories pretty often.
@@ -157,48 +184,72 @@ speedo_spkgs  = \
 
 ifeq ($(TARGETOS),w32)
 speedo_spkgs += \
-       zlib bzip2 libiconv gettext
+       zlib bzip2 sqlite
+ifeq ($(WITH_GUI),1)
+speedo_spkgs += gettext libiconv
+endif
+endif
+
+speedo_spkgs += \
+       libassuan libksba
+
+ifeq ($(TARGETOS),w32)
+speedo_spkgs += \
+       ntbtls
 endif
 
 speedo_spkgs += \
-       libassuan libksba gnupg
+       gnupg
 
 ifeq ($(TARGETOS),w32)
+ifeq ($(WITH_GUI),1)
 speedo_spkgs += \
        libffi glib pkg-config
 endif
+endif
 
 speedo_spkgs += \
        gpgme
 
 ifeq ($(TARGETOS),w32)
+ifeq ($(WITH_GUI),1)
 speedo_spkgs += \
        libpng \
        gdk-pixbuf atk pixman cairo pango gtk+
 endif
+endif
 
+ifeq ($(TARGETOS),w32)
 
+speedo_spkgs += pinentry
 ifeq ($(WITH_GUI),1)
-speedo_spkgs += \
-       pinentry gpa
+speedo_spkgs += gpa gpgex
+endif
+
+else
+
+ifeq ($(WITH_GUI),1)
+speedo_spkgs += pinentry gpa
 endif
 
-ifeq ($(TARGETOS),w32)
-speedo_spkgs += \
-       gpgex
 endif
 
+
 # =====END LIST OF PACKAGES=====
 
 
-# Packages which are additionally build for 64 bit Windows
-speedo_w64_spkgs  = \
-       libgpg-error libiconv gettext libassuan gpgex
+# Packages which are additionally build for 64 bit Windows.  They are
+# only used for gpgex and thus we need to build them only if we want
+# a full installer.
+speedo_w64_spkgs  =
+ifeq ($(WITH_GUI),1)
+speedo_w64_spkgs += libgpg-error libiconv gettext libassuan gpgex
+endif
 
 # Packages which use the gnupg autogen.sh build style
 speedo_gnupg_style = \
        libgpg-error npth libgcrypt  \
-       libassuan libksba gnupg gpgme \
+       libassuan libksba ntbtls gnupg gpgme \
        pinentry gpa gpgex
 
 # Packages which use only make and no build directory
@@ -206,56 +257,91 @@ speedo_make_only_style = \
        zlib bzip2
 
 # Get the content of the software DB.
+ifeq ($(CUSTOM_SWDB),1)
+getswdb_options = --skip-download --skip-verify
+else
+getswdb_options =
+endif
+ifeq ($(SELFCHECK),0)
+getswdb_options += --skip-selfcheck
+endif
 ifeq ($(UPD_SWDB),1)
-SWDB := $(shell $(topsrc)/build-aux/getswdb.sh && echo okay)
+SWDB := $(shell $(topsrc)/build-aux/getswdb.sh $(getswdb_options) && echo okay)
 ifeq ($(strip $(SWDB)),)
+ifneq ($(WHAT),git)
 $(error Error getting GnuPG software version database)
 endif
+endif
 
 # Version numbers of the released packages
-gnupg_ver = $(shell cat $(topsrc)/VERSION)
+gnupg_ver_this = $(shell cat $(topsrc)/VERSION)
+
+gnupg_ver        := $(shell awk '$$1=="gnupg21_ver" {print $$2}' swdb.lst)
 
 libgpg_error_ver := $(shell awk '$$1=="libgpg_error_ver" {print $$2}' swdb.lst)
 libgpg_error_sha1:= $(shell awk '$$1=="libgpg_error_sha1" {print $$2}' swdb.lst)
+libgpg_error_sha2:= $(shell awk '$$1=="libgpg_error_sha2" {print $$2}' swdb.lst)
 
 npth_ver  := $(shell awk '$$1=="npth_ver" {print $$2}' swdb.lst)
 npth_sha1 := $(shell awk '$$1=="npth_sha1" {print $$2}' swdb.lst)
+npth_sha2 := $(shell awk '$$1=="npth_sha2" {print $$2}' swdb.lst)
 
 libgcrypt_ver  := $(shell awk '$$1=="libgcrypt_ver" {print $$2}' swdb.lst)
 libgcrypt_sha1 := $(shell awk '$$1=="libgcrypt_sha1" {print $$2}' swdb.lst)
+libgcrypt_sha2 := $(shell awk '$$1=="libgcrypt_sha2" {print $$2}' swdb.lst)
 
 libassuan_ver  := $(shell awk '$$1=="libassuan_ver" {print $$2}' swdb.lst)
 libassuan_sha1 := $(shell awk '$$1=="libassuan_sha1" {print $$2}' swdb.lst)
+libassuan_sha2 := $(shell awk '$$1=="libassuan_sha2" {print $$2}' swdb.lst)
 
 libksba_ver  := $(shell awk '$$1=="libksba_ver" {print $$2}' swdb.lst)
 libksba_sha1 := $(shell awk '$$1=="libksba_sha1" {print $$2}' swdb.lst)
+libksba_sha2 := $(shell awk '$$1=="libksba_sha2" {print $$2}' swdb.lst)
+
+ntbtls_ver  := $(shell awk '$$1=="ntbtls_ver" {print $$2}' swdb.lst)
+ntbtls_sha1 := $(shell awk '$$1=="ntbtls_sha1" {print $$2}' swdb.lst)
+ntbtls_sha2 := $(shell awk '$$1=="ntbtls_sha2" {print $$2}' swdb.lst)
 
 gpgme_ver  := $(shell awk '$$1=="gpgme_ver" {print $$2}' swdb.lst)
 gpgme_sha1 := $(shell awk '$$1=="gpgme_sha1" {print $$2}' swdb.lst)
+gpgme_sha2 := $(shell awk '$$1=="gpgme_sha2" {print $$2}' swdb.lst)
 
 pinentry_ver  := $(shell awk '$$1=="pinentry_ver" {print $$2}' swdb.lst)
 pinentry_sha1 := $(shell awk '$$1=="pinentry_sha1" {print $$2}' swdb.lst)
+pinentry_sha2 := $(shell awk '$$1=="pinentry_sha2" {print $$2}' swdb.lst)
 
 gpa_ver  := $(shell awk '$$1=="gpa_ver" {print $$2}' swdb.lst)
 gpa_sha1 := $(shell awk '$$1=="gpa_sha1" {print $$2}' swdb.lst)
+gpa_sha2 := $(shell awk '$$1=="gpa_sha2" {print $$2}' swdb.lst)
 
 gpgex_ver  := $(shell awk '$$1=="gpgex_ver" {print $$2}' swdb.lst)
 gpgex_sha1 := $(shell awk '$$1=="gpgex_sha1" {print $$2}' swdb.lst)
+gpgex_sha2 := $(shell awk '$$1=="gpgex_sha2" {print $$2}' swdb.lst)
 
 zlib_ver  := $(shell awk '$$1=="zlib_ver" {print $$2}' swdb.lst)
 zlib_sha1 := $(shell awk '$$1=="zlib_sha1_gz" {print $$2}' swdb.lst)
+zlib_sha2 := $(shell awk '$$1=="zlib_sha2_gz" {print $$2}' swdb.lst)
 
 bzip2_ver  := $(shell awk '$$1=="bzip2_ver" {print $$2}' swdb.lst)
 bzip2_sha1 := $(shell awk '$$1=="bzip2_sha1_gz" {print $$2}' swdb.lst)
+bzip2_sha2 := $(shell awk '$$1=="bzip2_sha2_gz" {print $$2}' swdb.lst)
+
+sqlite_ver  := $(shell awk '$$1=="sqlite_ver" {print $$2}' swdb.lst)
+sqlite_sha1 := $(shell awk '$$1=="sqlite_sha1_gz" {print $$2}' swdb.lst)
+sqlite_sha2 := $(shell awk '$$1=="sqlite_sha2_gz" {print $$2}' swdb.lst)
+
 
 $(info Information from the version database)
-$(info GnuPG ..........: $(gnupg_ver))
+$(info GnuPG ..........: $(gnupg_ver) (building $(gnupg_ver_this)))
 $(info Libgpg-error ...: $(libgpg_error_ver))
 $(info Npth ...........: $(npth_ver))
 $(info Libgcrypt ......: $(libgcrypt_ver))
 $(info Libassuan ......: $(libassuan_ver))
+$(info Libksba ........: $(libksba_ver))
 $(info Zlib ...........: $(zlib_ver))
 $(info Bzip2 ..........: $(bzip2_ver))
+$(info SQLite .........: $(sqlite_ver))
+$(info NtbTLS .. ......: $(ntbtls_ver))
 $(info GPGME ..........: $(gpgme_ver))
 $(info Pinentry .......: $(pinentry_ver))
 $(info GPA ............: $(gpa_ver))
@@ -264,7 +350,6 @@ endif
 
 # Version number for external packages
 pkg_config_ver = 0.23
-zlib_ver = 1.2.8
 libiconv_ver = 1.14
 gettext_ver = 0.18.2.1
 libffi_ver = 3.0.13
@@ -277,7 +362,6 @@ pixman_ver = 0.32.4
 cairo_ver = 1.12.16
 gtk__ver = 2.24.17
 
-
 # The GIT repository.  Using a local repo is much faster.
 #gitrep = git://git.gnupg.org
 gitrep = ${HOME}/s
@@ -318,9 +402,11 @@ else ifeq ($(WHAT),git)
   speedo_pkg_libassuan_git = $(gitrep)/libassuan
   speedo_pkg_libassuan_gitref = master
   speedo_pkg_libgcrypt_git = $(gitrep)/libgcrypt
-  speedo_pkg_libgcrypt_gitref = LIBGCRYPT-1-6-BRANCH
+  speedo_pkg_libgcrypt_gitref = master
   speedo_pkg_libksba_git = $(gitrep)/libksba
   speedo_pkg_libksba_gitref = master
+  speedo_pkg_ntbtls_git = $(gitrep)/ntbtls
+  speedo_pkg_ntbtls_gitref = master
   speedo_pkg_gpgme_git = $(gitrep)/gpgme
   speedo_pkg_gpgme_gitref = master
   speedo_pkg_pinentry_git = $(gitrep)/pinentry
@@ -340,6 +426,8 @@ else ifeq ($(WHAT),release)
        $(pkgrep)/libgcrypt/libgcrypt-$(libgcrypt_ver).tar.bz2
   speedo_pkg_libksba_tar = \
        $(pkgrep)/libksba/libksba-$(libksba_ver).tar.bz2
+  speedo_pkg_ntbtls_tar = \
+       $(pkgrep)/ntbtls/ntbtls-$(ntbtls_ver).tar.bz2
   speedo_pkg_gpgme_tar = \
        $(pkgrep)/gpgme/gpgme-$(gpgme_ver).tar.bz2
   speedo_pkg_pinentry_tar = \
@@ -355,6 +443,7 @@ endif
 speedo_pkg_pkg_config_tar = $(pkg2rep)/pkg-config-$(pkg_config_ver).tar.gz
 speedo_pkg_zlib_tar       = $(pkgrep)/zlib/zlib-$(zlib_ver).tar.gz
 speedo_pkg_bzip2_tar      = $(pkgrep)/bzip2/bzip2-$(bzip2_ver).tar.gz
+speedo_pkg_sqlite_tar     = $(pkgrep)/sqlite/sqlite-autoconf-$(sqlite_ver).tar.gz
 speedo_pkg_libiconv_tar   = $(pkg2rep)/libiconv-$(libiconv_ver).tar.gz
 speedo_pkg_gettext_tar    = $(pkg2rep)/gettext-$(gettext_ver).tar.gz
 speedo_pkg_libffi_tar     = $(pkg2rep)/libffi-$(libffi_ver).tar.gz
@@ -382,8 +471,13 @@ speedo_pkg_libgcrypt_configure = --disable-static
 
 speedo_pkg_libksba_configure = --disable-static
 
+# For now we build ntbtls only static
+speedo_pkg_ntbtls_configure = --enable-static --disable-shared
+
 ifeq ($(TARGETOS),w32)
-speedo_pkg_gnupg_configure = --enable-gpg2-is-gpg --disable-g13 --disable-ntbtls
+speedo_pkg_gnupg_configure = \
+        --enable-gpg2-is-gpg --disable-g13 --enable-ntbtls \
+        --enable-build-timestamp
 else
 speedo_pkg_gnupg_configure = --disable-g13
 endif
@@ -401,19 +495,31 @@ endef
 endif
 
 # The LDFLAGS is needed for -lintl for glib.
+ifeq ($(WITH_GUI),1)
 speedo_pkg_gpgme_configure = \
        --enable-static --enable-w32-glib --disable-w32-qt \
        --with-gpg-error-prefix=$(idir) \
        LDFLAGS=-L$(idir)/lib
+else
+speedo_pkg_gpgme_configure = \
+       --disable-static --disable-w32-glib --disable-w32-qt \
+       --with-gpg-error-prefix=$(idir) \
+       LDFLAGS=-L$(idir)/lib
+endif
+
 
-speedo_pkg_pinentry_configure = \
-       --disable-pinentry-qt --disable-pinentry-qt4 --disable-pinentry-gtk \
-       --enable-pinentry-gtk2 \
-       --with-glib-prefix=$(idir) --with-gtk-prefix=$(idir) \
+ifeq ($(TARGETOS),w32)
+speedo_pkg_pinentry_configure = --disable-pinentry-gtk2
+else
+speedo_pkg_pinentry_configure = --enable-pinentry-gtk2
+endif
+speedo_pkg_pinentry_configure += \
+        --disable-pinentry-qt4 \
        CPPFLAGS=-I$(idir)/include   \
        LDFLAGS=-L$(idir)/lib        \
        CXXFLAGS=-static-libstdc++
 
+
 speedo_pkg_gpa_configure = \
         --with-libiconv-prefix=$(idir) --with-libintl-prefix=$(idir) \
         --with-gpgme-prefix=$(idir) --with-zlib=$(idir) \
@@ -570,6 +676,10 @@ SHA1SUM := $(shell $(topsrc)/build-aux/getswdb.sh --find-sha1sum)
 ifeq ($(SHA1SUM),false)
 $(error The sha1sum tool is missing)
 endif
+SHA2SUM := $(shell $(topsrc)/build-aux/getswdb.sh --find-sha256sum)
+ifeq ($(SHA2SUM),false)
+$(error The sha256sum tool is missing)
+endif
 
 
 BUILD_ISODATE=$(shell date -u +%Y-%m-%d)
@@ -647,6 +757,7 @@ define SETVARS
         git="$(call GETVAR,speedo_pkg_$(1)_git)";                       \
         gitref="$(call GETVAR,speedo_pkg_$(1)_gitref)";                 \
         tar="$(call GETVAR,speedo_pkg_$(1)_tar)";                       \
+        sha2="$(call GETVAR,$(1)_sha2)";                                \
         sha1="$(call GETVAR,$(1)_sha1)";                                \
         pkgsdir="$(sdir)/$(1)";                                         \
         if [ "$(1)" = "gnupg" ]; then                                   \
@@ -681,6 +792,7 @@ define SETVARS_W64
         git="$(call GETVAR,speedo_pkg_$(1)_git)";                       \
         gitref="$(call GETVAR,speedo_pkg_$(1)_gitref)";                 \
         tar="$(call GETVAR,speedo_pkg_$(1)_tar)";                       \
+        sha2="$(call GETVAR,$(1)_sha2)";                                \
         sha1="$(call GETVAR,$(1)_sha1)";                                \
         pkgsdir="$(sdir)/$(1)";                                         \
         if [ "$(1)" = "gnupg" ]; then                                   \
@@ -756,11 +868,19 @@ $(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories
                   | $$$${pretar} | tar x$$$${opt}f - ;; \
           esac;                                        \
           if [ -f tmp.tgz ]; then                      \
-            if [ -n "$$$${sha1}" ]; then               \
+            if [ -n "$$$${sha2}" ]; then               \
+               tmp=$$$$($(SHA2SUM) <tmp.tgz|cut -d' ' -f1);\
+               if [ "$$$${tmp}" != "$$$${sha2}" ]; then \
+                echo "speedo:";                        \
+                 echo "speedo: ERROR: SHA-256 checksum mismatch for $(1)";\
+                echo "speedo:";                        \
+                 exit 1;                                \
+               fi;                                      \
+            elif [ -n "$$$${sha1}" ]; then            \
                tmp=$$$$($(SHA1SUM) <tmp.tgz|cut -d' ' -f1);\
                if [ "$$$${tmp}" != "$$$${sha1}" ]; then \
                 echo "speedo:";                        \
-                 echo "speedo: ERROR: checksum mismatch for $(1)";\
+                 echo "speedo: ERROR: SHA-1 checksum mismatch for $(1)";\
                 echo "speedo:";                        \
                  exit 1;                                \
                fi;                                      \
@@ -775,9 +895,13 @@ $(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories
                  | sed -e 's,\.tar.*$$$$,,'`;          \
           mv $$$${base} $(1);                          \
           patch="$(patdir)/$(1)-$$$${base#$(1)-}.patch";\
+          patchx="$(patdir)/$(1).patch";               \
           if [ -x "$$$${patch}" ]; then                \
              echo "speedo: applying patch $$$${patch}"; \
              cd $(1); "$$$${patch}";                   \
+          elif [ -x "$$$${patchx}" ]; then             \
+             echo "speedo: applying patch $$$${patchx}";\
+             cd $(1); "$$$${patchx}";                  \
           elif [ -f "$$$${patch}" ]; then              \
              echo "speedo: warning: $$$${patch} is not executable"; \
           fi;                                          \
@@ -998,7 +1122,7 @@ clean-speedo:
 # {{{
 ifeq ($(TARGETOS),w32)
 
-dist-source: all
+dist-source: installer
        for i in 00 01 02 03; do sleep 1;touch PLAY/stamps/stamp-*-${i}-*;done
        (set -e;\
         tarname="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).tar" ;\
@@ -1008,21 +1132,26 @@ dist-source: all
              --anchored --exclude './PLAY' . ;\
         tar --totals -rf "$$tarname" --exclude-backups --exclude-vc \
               --transform='s,^,$(INST_NAME)-$(INST_VERSION)/,' \
-            PLAY/stamps/stamp-*-00-unpack PLAY/src ;\
+            PLAY/stamps/stamp-*-00-unpack PLAY/src swdb.lst swdb.lst.sig ;\
+        [ -f "$$tarname".xz ] && rm "$$tarname".xz;\
          xz "$$tarname" ;\
        )
 
 
+# Extract the two latest news entries.  */
 $(bdir)/NEWS.tmp: $(topsrc)/NEWS
-       sed -e '/^#/d' <$(topsrc)/NEWS >$(bdir)/NEWS.tmp
+       awk '/^Notewo/ {if(okay>1){exit}; okay++};okay {print $0}' \
+           <$(topsrc)/NEWS  >$(bdir)/NEWS.tmp
 
-$(bdir)/README.txt: $(bdir)/NEWS.tmp $(w32src)/README.txt \
+$(bdir)/README.txt: $(bdir)/NEWS.tmp $(topsrc)/README $(w32src)/README.txt \
                     $(w32src)/pkg-copyright.txt
        sed -e '/^;.*/d;' \
-       -e '/!NEWSFILE!/{r NEWS.tmp' -e 'd;}' \
+       -e '/!NEWSFILE!/{r $(bdir)/NEWS.tmp' -e 'd;}' \
+       -e '/!GNUPGREADME!/{r $(topsrc)/README' -e 'd;}' \
         -e '/!PKG-COPYRIGHT!/{r $(w32src)/pkg-copyright.txt' -e 'd;}' \
         -e 's,!VERSION!,$(INST_VERSION),g' \
           < $(w32src)/README.txt \
+           | sed -e '/^#/d' \
            | awk '{printf "%s\r\n", $$0}' >$(bdir)/README.txt
 
 $(bdir)/g4wihelp.dll: $(w32src)/g4wihelp.c $(w32src)/exdll.h
@@ -1036,6 +1165,11 @@ w32_insthelpers: $(bdir)/g4wihelp.dll
 $(bdir)/inst-options.ini: $(w32src)/inst-options.ini
        cat $(w32src)/inst-options.ini >$(bdir)/inst-options.ini
 
+extra_installer_options =
+ifeq ($(WITH_GUI),1)
+extra_installer_options += -DWITH_GUI=1
+endif
+
 installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
        $(MAKENSIS) -V2 \
                     -DINST_DIR=$(idir) \
@@ -1048,9 +1182,62 @@ installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
                    -DNAME=$(INST_NAME) \
                    -DVERSION=$(INST_VERSION) \
                    -DPROD_VERSION=$(INST_PROD_VERSION) \
-                   $(w32src)/inst.nsi
+                   $(extra_installer_options) $(w32src)/inst.nsi
        @echo "Ready: $(idir)/$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe"
 
+
+define MKSWDB_commands
+ ( pref="#+macro: gnupg21_w32_" ;\
+   echo "$${pref}ver  $(INST_VERSION)_$(BUILD_DATESTR)"  ;\
+   echo "$${pref}date $(2)" ;\
+   echo "$${pref}size $$(wc -c <$(1)|awk '{print int($$1/1024)}')k";\
+   echo "$${pref}sha1 $$(sha1sum <$(1)|cut -d' ' -f1)" ;\
+   echo "$${pref}sha2 $$(sha256sum <$(1)|cut -d' ' -f1)" ;\
+ ) | tee $(1).swdb
+endef
+
+
+# Build the installer from the source tarball.
+installer-from-source: dist-source
+       (set -e;\
+        [ -d PLAY-release ] && rm -rf PLAY-release; \
+        mkdir PLAY-release;\
+        cd PLAY-release; \
+        tar xJf "../$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).tar.xz";\
+        cd $(INST_NAME)-$(INST_VERSION); \
+         $(MAKE) -f build-aux/speedo.mk this-w32-installer SELFCHECK=0;\
+        reldate="$$(date -u +%Y-%m-%d)" ;\
+        exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
+        cp "PLAY/inst/$$exefile" ../.. ;\
+        exefile="../../$$exefile" ;\
+        $(call MKSWDB_commands,$${exefile},$${reldate}); \
+       )
+
+# This target repeats some of the installer-from-source steps but it
+# is intended to be called interactively, so that the passphrase can be
+# entered.
+sign-installer:
+       @(set -e; \
+        cd PLAY-release; \
+        cd $(INST_NAME)-$(INST_VERSION); \
+        reldate="$$(date -u +%Y-%m-%d)" ;\
+        exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
+        echo "speedo: /*" ;\
+        echo "speedo:  * Signing installer" ;\
+        echo "speedo:  * Key: $(AUTHENTICODE_KEY)";\
+        echo "speedo:  */" ;\
+        osslsigncode sign -pkcs12 $(AUTHENTICODE_KEY) -askpass \
+            -h sha256 -in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
+        exefile="../../$$exefile" ;\
+        $(call MKSWDB_commands,$${exefile},$${reldate}); \
+        echo "speedo: /*" ;\
+        echo "speedo:  * Verification result" ;\
+        echo "speedo:  */" ;\
+         osslsigncode verify $${exefile} \
+       )
+
+
+
 endif
 # }}} W32