speedo: Add new option STATIC=1
[gnupg.git] / build-aux / speedo.mk
index cd3a66d..ce338dd 100644 (file)
@@ -52,16 +52,18 @@ SPEEDO_MK := $(realpath $(lastword $(MAKEFILE_LIST)))
 help:
        @echo 'usage: make -f speedo.mk TARGET'
        @echo '       with TARGET being one of:'
-       @echo '  help           This help'
-       @echo '  native         Native build of the GnuPG core'
-       @echo '  native-gui     Ditto but with pinentry and GPA'
-       @echo '  w32-installer  Build a Windows installer'
-       @echo '  w32-source     Pack a source archive'
-       @echo '  w32-release    Build a Windows release'
+       @echo '  help               This help'
+       @echo '  native             Native build of the GnuPG core'
+       @echo '  native-gui         Ditto but with pinentry and GPA'
+       @echo '  w32-installer      Build a Windows installer'
+       @echo '  w32-source         Pack a source archive'
+       @echo '  w32-release        Build a Windows release'
+       @echo '  w32-sign-installer Sign the installer'
        @echo
        @echo 'You may append INSTALL_PREFIX=<dir> for native builds.'
        @echo 'Prepend TARGET with "git-" to build from GIT repos.'
        @echo 'Prepend TARGET with "this-" to build from the source tarball.'
+       @echo 'Use STATIC=1 to build with statically linked libraries.'
        @echo 'Use SELFCHECK=0 for a non-released version.'
        @echo 'Use CUSTOM_SWDB=1 for an already downloaded swdb.lst.'
 
@@ -109,6 +111,14 @@ w32-release: check-tools
        $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
                                                    installer-from-source
 
+w32-sign-installer: check-tools
+       $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+                                                   sign-installer
+
+w32-release-offline: check-tools
+       $(SPEEDOMAKE) TARGETOS=w32 WHAT=release    WITH_GUI=0 SELFCHECK=0 \
+         CUSTOM_SWDB=1 pkgrep=${HOME}/b pkg10rep=${HOME}/b  \
+         installer-from-source
 
 
 # Set this to "git" to build from git,
@@ -131,6 +141,9 @@ UPD_SWDB=0
 # Set to 0 to skip the GnuPG version self-check
 SELFCHECK=1
 
+# Set to 1 to build with statically linked libraries.
+STATIC=0
+
 # Set to the location of the directory with tarballs of
 # external packages.
 TARBALLS=$(shell pwd)/../tarballs
@@ -144,6 +157,9 @@ INST_NAME=gnupg-w32
 # Use this to override the installaion directory for native builds.
 INSTALL_PREFIX=none
 
+# The Authenticode key used to sign the Windows installer
+AUTHENTICODE_KEY=${HOME}/.gnupg/g10code-authenticode-key.p12
+
 
 # Directory names.
 # They must be absolute, as we switch directories pretty often.
@@ -172,14 +188,22 @@ speedo_spkgs  = \
 
 ifeq ($(TARGETOS),w32)
 speedo_spkgs += \
-       zlib bzip2 adns libiconv
+       zlib bzip2 sqlite
 ifeq ($(WITH_GUI),1)
-speedo_spkgs += gettext
+speedo_spkgs += gettext libiconv
+endif
 endif
+
+speedo_spkgs += \
+       libassuan libksba
+
+ifeq ($(TARGETOS),w32)
+speedo_spkgs += \
+       ntbtls
 endif
 
 speedo_spkgs += \
-       libassuan libksba gnupg
+       gnupg
 
 ifeq ($(TARGETOS),w32)
 ifeq ($(WITH_GUI),1)
@@ -188,8 +212,10 @@ speedo_spkgs += \
 endif
 endif
 
+ifeq ($(STATIC),0)
 speedo_spkgs += \
        gpgme
+endif
 
 ifeq ($(TARGETOS),w32)
 ifeq ($(WITH_GUI),1)
@@ -229,7 +255,7 @@ endif
 # Packages which use the gnupg autogen.sh build style
 speedo_gnupg_style = \
        libgpg-error npth libgcrypt  \
-       libassuan libksba gnupg gpgme \
+       libassuan libksba ntbtls gnupg gpgme \
        pinentry gpa gpgex
 
 # Packages which use only make and no build directory
@@ -256,43 +282,60 @@ endif
 # Version numbers of the released packages
 gnupg_ver_this = $(shell cat $(topsrc)/VERSION)
 
-gnupg_ver        := $(shell awk '$$1=="gnupg21_ver" {print $$2}' swdb.lst)
+gnupg_ver        := $(shell awk '$$1=="gnupg22_ver" {print $$2}' swdb.lst)
 
 libgpg_error_ver := $(shell awk '$$1=="libgpg_error_ver" {print $$2}' swdb.lst)
 libgpg_error_sha1:= $(shell awk '$$1=="libgpg_error_sha1" {print $$2}' swdb.lst)
+libgpg_error_sha2:= $(shell awk '$$1=="libgpg_error_sha2" {print $$2}' swdb.lst)
 
 npth_ver  := $(shell awk '$$1=="npth_ver" {print $$2}' swdb.lst)
 npth_sha1 := $(shell awk '$$1=="npth_sha1" {print $$2}' swdb.lst)
+npth_sha2 := $(shell awk '$$1=="npth_sha2" {print $$2}' swdb.lst)
 
 libgcrypt_ver  := $(shell awk '$$1=="libgcrypt_ver" {print $$2}' swdb.lst)
 libgcrypt_sha1 := $(shell awk '$$1=="libgcrypt_sha1" {print $$2}' swdb.lst)
+libgcrypt_sha2 := $(shell awk '$$1=="libgcrypt_sha2" {print $$2}' swdb.lst)
 
 libassuan_ver  := $(shell awk '$$1=="libassuan_ver" {print $$2}' swdb.lst)
 libassuan_sha1 := $(shell awk '$$1=="libassuan_sha1" {print $$2}' swdb.lst)
+libassuan_sha2 := $(shell awk '$$1=="libassuan_sha2" {print $$2}' swdb.lst)
 
 libksba_ver  := $(shell awk '$$1=="libksba_ver" {print $$2}' swdb.lst)
 libksba_sha1 := $(shell awk '$$1=="libksba_sha1" {print $$2}' swdb.lst)
+libksba_sha2 := $(shell awk '$$1=="libksba_sha2" {print $$2}' swdb.lst)
+
+ntbtls_ver  := $(shell awk '$$1=="ntbtls_ver" {print $$2}' swdb.lst)
+ntbtls_sha1 := $(shell awk '$$1=="ntbtls_sha1" {print $$2}' swdb.lst)
+ntbtls_sha2 := $(shell awk '$$1=="ntbtls_sha2" {print $$2}' swdb.lst)
 
 gpgme_ver  := $(shell awk '$$1=="gpgme_ver" {print $$2}' swdb.lst)
 gpgme_sha1 := $(shell awk '$$1=="gpgme_sha1" {print $$2}' swdb.lst)
+gpgme_sha2 := $(shell awk '$$1=="gpgme_sha2" {print $$2}' swdb.lst)
 
 pinentry_ver  := $(shell awk '$$1=="pinentry_ver" {print $$2}' swdb.lst)
 pinentry_sha1 := $(shell awk '$$1=="pinentry_sha1" {print $$2}' swdb.lst)
+pinentry_sha2 := $(shell awk '$$1=="pinentry_sha2" {print $$2}' swdb.lst)
 
 gpa_ver  := $(shell awk '$$1=="gpa_ver" {print $$2}' swdb.lst)
 gpa_sha1 := $(shell awk '$$1=="gpa_sha1" {print $$2}' swdb.lst)
+gpa_sha2 := $(shell awk '$$1=="gpa_sha2" {print $$2}' swdb.lst)
 
 gpgex_ver  := $(shell awk '$$1=="gpgex_ver" {print $$2}' swdb.lst)
 gpgex_sha1 := $(shell awk '$$1=="gpgex_sha1" {print $$2}' swdb.lst)
+gpgex_sha2 := $(shell awk '$$1=="gpgex_sha2" {print $$2}' swdb.lst)
 
 zlib_ver  := $(shell awk '$$1=="zlib_ver" {print $$2}' swdb.lst)
 zlib_sha1 := $(shell awk '$$1=="zlib_sha1_gz" {print $$2}' swdb.lst)
+zlib_sha2 := $(shell awk '$$1=="zlib_sha2_gz" {print $$2}' swdb.lst)
 
 bzip2_ver  := $(shell awk '$$1=="bzip2_ver" {print $$2}' swdb.lst)
 bzip2_sha1 := $(shell awk '$$1=="bzip2_sha1_gz" {print $$2}' swdb.lst)
+bzip2_sha2 := $(shell awk '$$1=="bzip2_sha2_gz" {print $$2}' swdb.lst)
+
+sqlite_ver  := $(shell awk '$$1=="sqlite_ver" {print $$2}' swdb.lst)
+sqlite_sha1 := $(shell awk '$$1=="sqlite_sha1_gz" {print $$2}' swdb.lst)
+sqlite_sha2 := $(shell awk '$$1=="sqlite_sha2_gz" {print $$2}' swdb.lst)
 
-adns_ver  := $(shell awk '$$1=="adns_ver" {print $$2}' swdb.lst)
-adns_sha1 := $(shell awk '$$1=="adns_sha1" {print $$2}' swdb.lst)
 
 $(info Information from the version database)
 $(info GnuPG ..........: $(gnupg_ver) (building $(gnupg_ver_this)))
@@ -300,9 +343,11 @@ $(info Libgpg-error ...: $(libgpg_error_ver))
 $(info Npth ...........: $(npth_ver))
 $(info Libgcrypt ......: $(libgcrypt_ver))
 $(info Libassuan ......: $(libassuan_ver))
+$(info Libksba ........: $(libksba_ver))
 $(info Zlib ...........: $(zlib_ver))
 $(info Bzip2 ..........: $(bzip2_ver))
-$(info ADNS ...........: $(adns_ver))
+$(info SQLite .........: $(sqlite_ver))
+$(info NtbTLS .. ......: $(ntbtls_ver))
 $(info GPGME ..........: $(gpgme_ver))
 $(info Pinentry .......: $(pinentry_ver))
 $(info GPA ............: $(gpa_ver))
@@ -366,6 +411,8 @@ else ifeq ($(WHAT),git)
   speedo_pkg_libgcrypt_gitref = master
   speedo_pkg_libksba_git = $(gitrep)/libksba
   speedo_pkg_libksba_gitref = master
+  speedo_pkg_ntbtls_git = $(gitrep)/ntbtls
+  speedo_pkg_ntbtls_gitref = master
   speedo_pkg_gpgme_git = $(gitrep)/gpgme
   speedo_pkg_gpgme_gitref = master
   speedo_pkg_pinentry_git = $(gitrep)/pinentry
@@ -385,6 +432,8 @@ else ifeq ($(WHAT),release)
        $(pkgrep)/libgcrypt/libgcrypt-$(libgcrypt_ver).tar.bz2
   speedo_pkg_libksba_tar = \
        $(pkgrep)/libksba/libksba-$(libksba_ver).tar.bz2
+  speedo_pkg_ntbtls_tar = \
+       $(pkgrep)/ntbtls/ntbtls-$(ntbtls_ver).tar.bz2
   speedo_pkg_gpgme_tar = \
        $(pkgrep)/gpgme/gpgme-$(gpgme_ver).tar.bz2
   speedo_pkg_pinentry_tar = \
@@ -400,7 +449,7 @@ endif
 speedo_pkg_pkg_config_tar = $(pkg2rep)/pkg-config-$(pkg_config_ver).tar.gz
 speedo_pkg_zlib_tar       = $(pkgrep)/zlib/zlib-$(zlib_ver).tar.gz
 speedo_pkg_bzip2_tar      = $(pkgrep)/bzip2/bzip2-$(bzip2_ver).tar.gz
-speedo_pkg_adns_tar       = $(pkg10rep)/adns/adns-$(adns_ver).tar.bz2
+speedo_pkg_sqlite_tar     = $(pkgrep)/sqlite/sqlite-autoconf-$(sqlite_ver).tar.gz
 speedo_pkg_libiconv_tar   = $(pkg2rep)/libiconv-$(libiconv_ver).tar.gz
 speedo_pkg_gettext_tar    = $(pkg2rep)/gettext-$(gettext_ver).tar.gz
 speedo_pkg_libffi_tar     = $(pkg2rep)/libffi-$(libffi_ver).tar.gz
@@ -418,6 +467,8 @@ speedo_pkg_gtk__tar       = $(pkg2rep)/gtk+-$(gtk__ver).tar.xz
 # Package build options
 #
 
+speedo_pkg_npth_configure = --enable-static
+
 speedo_pkg_libgpg_error_configure = --enable-static
 speedo_pkg_w64_libgpg_error_configure = --enable-static
 
@@ -428,8 +479,28 @@ speedo_pkg_libgcrypt_configure = --disable-static
 
 speedo_pkg_libksba_configure = --disable-static
 
+speedo_pkg_ntbtls_configure = --enable-static
+
+
+ifeq ($(STATIC),1)
+speedo_pkg_npth_configure += --disable-shared
+
+speedo_pkg_libgpg_error_configure += --disable-shared
+
+speedo_pkg_libassuan_configure += --disable-shared
+
+speedo_pkg_libgcrypt_configure += --disable-shared
+
+speedo_pkg_libksba_configure += --disable-shared
+endif
+
+# For now we build ntbtls only static
+speedo_pkg_ntbtls_configure = --disable-shared
+
 ifeq ($(TARGETOS),w32)
-speedo_pkg_gnupg_configure = --enable-gpg2-is-gpg --disable-g13 --disable-ntbtls
+speedo_pkg_gnupg_configure = \
+        --disable-g13 --enable-ntbtls \
+        --enable-build-timestamp
 else
 speedo_pkg_gnupg_configure = --disable-g13
 endif
@@ -466,7 +537,10 @@ else
 speedo_pkg_pinentry_configure = --enable-pinentry-gtk2
 endif
 speedo_pkg_pinentry_configure += \
-        --disable-pinentry-qt4 \
+        --disable-pinentry-qt5   \
+        --disable-pinentry-qt    \
+       --disable-pinentry-fltk  \
+       --disable-pinentry-tty   \
        CPPFLAGS=-I$(idir)/include   \
        LDFLAGS=-L$(idir)/lib        \
        CXXFLAGS=-static-libstdc++
@@ -628,6 +702,10 @@ SHA1SUM := $(shell $(topsrc)/build-aux/getswdb.sh --find-sha1sum)
 ifeq ($(SHA1SUM),false)
 $(error The sha1sum tool is missing)
 endif
+SHA2SUM := $(shell $(topsrc)/build-aux/getswdb.sh --find-sha256sum)
+ifeq ($(SHA2SUM),false)
+$(error The sha256sum tool is missing)
+endif
 
 
 BUILD_ISODATE=$(shell date -u +%Y-%m-%d)
@@ -705,6 +783,8 @@ define SETVARS
         git="$(call GETVAR,speedo_pkg_$(1)_git)";                       \
         gitref="$(call GETVAR,speedo_pkg_$(1)_gitref)";                 \
         tar="$(call GETVAR,speedo_pkg_$(1)_tar)";                       \
+        ver="$(call GETVAR,$(1)_ver)";                                  \
+        sha2="$(call GETVAR,$(1)_sha2)";                                \
         sha1="$(call GETVAR,$(1)_sha1)";                                \
         pkgsdir="$(sdir)/$(1)";                                         \
         if [ "$(1)" = "gnupg" ]; then                                   \
@@ -739,6 +819,8 @@ define SETVARS_W64
         git="$(call GETVAR,speedo_pkg_$(1)_git)";                       \
         gitref="$(call GETVAR,speedo_pkg_$(1)_gitref)";                 \
         tar="$(call GETVAR,speedo_pkg_$(1)_tar)";                       \
+        ver="$(call GETVAR,$(1)_ver)";                                  \
+        sha2="$(call GETVAR,$(1)_sha2)";                                \
         sha1="$(call GETVAR,$(1)_sha1)";                                \
         pkgsdir="$(sdir)/$(1)";                                         \
         if [ "$(1)" = "gnupg" ]; then                                   \
@@ -814,11 +896,19 @@ $(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories
                   | $$$${pretar} | tar x$$$${opt}f - ;; \
           esac;                                        \
           if [ -f tmp.tgz ]; then                      \
-            if [ -n "$$$${sha1}" ]; then               \
+            if [ -n "$$$${sha2}" ]; then               \
+               tmp=$$$$($(SHA2SUM) <tmp.tgz|cut -d' ' -f1);\
+               if [ "$$$${tmp}" != "$$$${sha2}" ]; then \
+                echo "speedo:";                        \
+                 echo "speedo: ERROR: SHA-256 checksum mismatch for $(1)";\
+                echo "speedo:";                        \
+                 exit 1;                                \
+               fi;                                      \
+            elif [ -n "$$$${sha1}" ]; then            \
                tmp=$$$$($(SHA1SUM) <tmp.tgz|cut -d' ' -f1);\
                if [ "$$$${tmp}" != "$$$${sha1}" ]; then \
                 echo "speedo:";                        \
-                 echo "speedo: ERROR: checksum mismatch for $(1)";\
+                 echo "speedo: ERROR: SHA-1 checksum mismatch for $(1)";\
                 echo "speedo:";                        \
                  exit 1;                                \
                fi;                                      \
@@ -833,9 +923,13 @@ $(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories
                  | sed -e 's,\.tar.*$$$$,,'`;          \
           mv $$$${base} $(1);                          \
           patch="$(patdir)/$(1)-$$$${base#$(1)-}.patch";\
+          patchx="$(patdir)/$(1).patch";               \
           if [ -x "$$$${patch}" ]; then                \
              echo "speedo: applying patch $$$${patch}"; \
              cd $(1); "$$$${patch}";                   \
+          elif [ -x "$$$${patchx}" ]; then             \
+             echo "speedo: applying patch $$$${patchx}";\
+             cd $(1); "$$$${patchx}";                  \
           elif [ -f "$$$${patch}" ]; then              \
              echo "speedo: warning: $$$${patch} is not executable"; \
           fi;                                          \
@@ -982,6 +1076,9 @@ endif
        touch $(stampdir)/stamp-w64-$(1)-03-install
 
 $(stampdir)/stamp-final-$(1): $(stampdir)/stamp-$(1)-03-install
+       @($(call SETVARS,$(1));                                  \
+         printf "%-14s %-12s %s\n" $(1) "$$$${ver}" "$$$${sha1}" \
+             >> $(bdir)/pkg-versions.txt)
        @echo "speedo: $(1) done"
        @touch $(stampdir)/stamp-final-$(1)
 
@@ -1031,13 +1128,16 @@ endef
 # Insert the template for each source package.
 $(foreach spkg, $(speedo_spkgs), $(eval $(call SPKG_template,$(spkg))))
 
-$(stampdir)/stamp-final: $(stampdir)/stamp-directories
+$(stampdir)/stamp-final: $(stampdir)/stamp-directories clean-pkg-versions
 ifeq ($(TARGETOS),w32)
 $(stampdir)/stamp-final: $(addprefix $(stampdir)/stamp-w64-final-,$(speedo_w64_build_list))
 endif
 $(stampdir)/stamp-final: $(addprefix $(stampdir)/stamp-final-,$(speedo_build_list))
        touch $(stampdir)/stamp-final
 
+clean-pkg-versions:
+        @: >$(bdir)/pkg-versions.txt
+
 all-speedo: $(stampdir)/stamp-final
 
 report-speedo: $(addprefix report-,$(speedo_build_list))
@@ -1061,10 +1161,10 @@ dist-source: installer
        (set -e;\
         tarname="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).tar" ;\
         [ -f "$$tarname" ] && rm "$$tarname" ;\
-         tar -C $(topsrc) -cf "$$tarname" --exclude-backups --exclude-vc \
+         tar -C $(topsrc) -cf "$$tarname" --exclude-backups --exclude-vcs \
              --transform='s,^\./,$(INST_NAME)-$(INST_VERSION)/,' \
              --anchored --exclude './PLAY' . ;\
-        tar --totals -rf "$$tarname" --exclude-backups --exclude-vc \
+        tar --totals -rf "$$tarname" --exclude-backups --exclude-vcs \
               --transform='s,^,$(INST_NAME)-$(INST_VERSION)/,' \
             PLAY/stamps/stamp-*-00-unpack PLAY/src swdb.lst swdb.lst.sig ;\
         [ -f "$$tarname".xz ] && rm "$$tarname".xz;\
@@ -1077,12 +1177,18 @@ $(bdir)/NEWS.tmp: $(topsrc)/NEWS
        awk '/^Notewo/ {if(okay>1){exit}; okay++};okay {print $0}' \
            <$(topsrc)/NEWS  >$(bdir)/NEWS.tmp
 
+# Sort the file with the package versions.
+$(bdir)/pkg-versions.sorted: $(bdir)/pkg-versions.txt
+       grep -v '^gnupg ' <$(bdir)/pkg-versions.txt \
+           | sort | uniq >$(bdir)/pkg-versions.sorted
+
 $(bdir)/README.txt: $(bdir)/NEWS.tmp $(topsrc)/README $(w32src)/README.txt \
-                    $(w32src)/pkg-copyright.txt
+                    $(w32src)/pkg-copyright.txt $(bdir)/pkg-versions.sorted
        sed -e '/^;.*/d;' \
        -e '/!NEWSFILE!/{r $(bdir)/NEWS.tmp' -e 'd;}' \
        -e '/!GNUPGREADME!/{r $(topsrc)/README' -e 'd;}' \
         -e '/!PKG-COPYRIGHT!/{r $(w32src)/pkg-copyright.txt' -e 'd;}' \
+        -e '/!PKG-VERSIONS!/{r $(bdir)/pkg-versions.sorted' -e 'd;}' \
         -e 's,!VERSION!,$(INST_VERSION),g' \
           < $(w32src)/README.txt \
            | sed -e '/^#/d' \
@@ -1119,6 +1225,18 @@ installer: all w32_insthelpers $(w32src)/inst-options.ini $(bdir)/README.txt
                    $(extra_installer_options) $(w32src)/inst.nsi
        @echo "Ready: $(idir)/$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe"
 
+
+define MKSWDB_commands
+ ( pref="#+macro: gnupg22_w32_" ;\
+   echo "$${pref}ver  $(INST_VERSION)_$(BUILD_DATESTR)"  ;\
+   echo "$${pref}date $(2)" ;\
+   echo "$${pref}size $$(wc -c <$(1)|awk '{print int($$1/1024)}')k";\
+   echo "$${pref}sha1 $$(sha1sum <$(1)|cut -d' ' -f1)" ;\
+   echo "$${pref}sha2 $$(sha256sum <$(1)|cut -d' ' -f1)" ;\
+ ) | tee $(1).swdb
+endef
+
+
 # Build the installer from the source tarball.
 installer-from-source: dist-source
        (set -e;\
@@ -1128,9 +1246,38 @@ installer-from-source: dist-source
         tar xJf "../$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).tar.xz";\
         cd $(INST_NAME)-$(INST_VERSION); \
          $(MAKE) -f build-aux/speedo.mk this-w32-installer SELFCHECK=0;\
-        mv "PLAY/inst/$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ../.. ;\
+        reldate="$$(date -u +%Y-%m-%d)" ;\
+        exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
+        cp "PLAY/inst/$$exefile" ../.. ;\
+        exefile="../../$$exefile" ;\
+        $(call MKSWDB_commands,$${exefile},$${reldate}); \
+       )
+
+# This target repeats some of the installer-from-source steps but it
+# is intended to be called interactively, so that the passphrase can be
+# entered.
+sign-installer:
+       @(set -e; \
+        cd PLAY-release; \
+        cd $(INST_NAME)-$(INST_VERSION); \
+        reldate="$$(date -u +%Y-%m-%d)" ;\
+        exefile="$(INST_NAME)-$(INST_VERSION)_$(BUILD_DATESTR).exe" ;\
+        echo "speedo: /*" ;\
+        echo "speedo:  * Signing installer" ;\
+        echo "speedo:  * Key: $(AUTHENTICODE_KEY)";\
+        echo "speedo:  */" ;\
+        osslsigncode sign -pkcs12 $(AUTHENTICODE_KEY) -askpass \
+            -h sha256 -in "PLAY/inst/$$exefile" -out "../../$$exefile" ;\
+        exefile="../../$$exefile" ;\
+        $(call MKSWDB_commands,$${exefile},$${reldate}); \
+        echo "speedo: /*" ;\
+        echo "speedo:  * Verification result" ;\
+        echo "speedo:  */" ;\
+         osslsigncode verify $${exefile} \
        )
 
+
+
 endif
 # }}} W32
 
@@ -1145,4 +1292,4 @@ check-tools:
 # Mark phony targets
 #
 .PHONY: all all-speedo report-speedo clean-stamps clean-speedo installer \
-       w32_insthelpers check-tools
+       w32_insthelpers check-tools clean-pkg-versions