-
Notifications
You must be signed in to change notification settings - Fork 207
/
_sign-code.sh
executable file
·45 lines (39 loc) · 1.3 KB
/
_sign-code.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/bin/sh
# Copyright (C) Viktor Szakats. See LICENSE.md
# SPDX-License-Identifier: MIT
# shellcheck disable=SC3040,SC2039
set -o xtrace -o errexit -o nounset; [ -n "${BASH:-}${ZSH_NAME:-}" ] && set -o pipefail
# TODO: add support for code signing Unixy binaries
# E.g. 'codesign' for mac.
# Linux: https://stackoverflow.com/questions/1732927/signed-executables-under-linux
if [ "${_OS}" = 'win' ] && \
[ -s "${SIGN_CODE_KEY}" ] && \
[ -n "${SIGN_CODE_KEY_PASS:+1}" ] && \
[ -n "${_OSSLSIGNCODE}" ]; then
_ref="$1"
shift
case "${_HOST}" in
bsd|mac) unixts="$(TZ=UTC stat -f '%m' "${_ref}")";;
*) unixts="$(TZ=UTC stat -c '%Y' "${_ref}")";;
esac
# Add code signature
for file in "$@"; do
echo "Code signing: '${file}'"
# Requires: osslsigncode 2.4 or newer
# -ts 'https://freetsa.org/tsr'
# TODO: osslsigncode 2.9 supports `-` instead of `/dev/stdin`.
"${_OSSLSIGNCODE}" sign \
-h sha512 \
-in "${file}" -out "${file}-signed" \
-time "${unixts}" \
-pkcs12 "${SIGN_CODE_KEY}" -readpass /dev/stdin <<EOF
${SIGN_CODE_KEY_PASS}
EOF
# # Create detached code signature:
# "${_OSSLSIGNCODE}" extract-signature \
# -in "${file}-signed" \
# -out "${file}.p7"
cp -f "${file}-signed" "${file}"
rm -f "${file}-signed"
done
fi