Align Windows signing with MrTrust contract

2026-05-16 04:34:34 +02:00
parent e66aa3d128
commit 6e9c53db2d
5 changed files with 84 additions and 46 deletions
--- a/apps/app/scripts/sign-windows-artifact.sh
+++ b/apps/app/scripts/sign-windows-artifact.sh
@@ -1,31 +1,65 @@
 #!/usr/bin/env bash
 set -euo pipefail

-artifact_path="${1:-}"
-if [ -z "${artifact_path}" ]; then
-	echo "No artifact path was provided for signing." >&2
-	exit 1
+if [ "$#" -lt 1 ]; then
+	echo "Usage: sign-windows-artifact.sh <artifact> [artifact...]" >&2
+	exit 2
 fi

-if [ -z "${JSIGN_JAR:-}" ] || [ ! -f "${JSIGN_JAR}" ]; then
-	echo "JSIGN_JAR must point to the downloaded jsign jar." >&2
-	exit 1
+if [ -z "${MRTRUST_CODESIGN_PFX_BASE64:-}" ]; then
+	echo "MRTRUST_CODESIGN_PFX_BASE64 is required." >&2
+	exit 2
 fi

-if [ -z "${MRTRUST_PFX_PATH:-}" ] || [ ! -f "${MRTRUST_PFX_PATH}" ]; then
-	echo "MRTRUST_PFX_PATH must point to the MrTrust code-signing PFX." >&2
-	exit 1
+if [ -z "${MRTRUST_CODESIGN_PFX_PASSWORD:-}" ]; then
+	echo "MRTRUST_CODESIGN_PFX_PASSWORD is required." >&2
+	exit 2
 fi

-if [ -z "${MRTRUST_PFX_PASSWORD:-}" ]; then
-	echo "MRTRUST_PFX_PASSWORD must be set." >&2
-	exit 1
+if ! command -v osslsigncode >/dev/null 2>&1; then
+	echo "osslsigncode is required for MrTrust Ubuntu runner signing." >&2
+	exit 2
 fi

-java -jar "${JSIGN_JAR}" sign \
-	--verbose \
-	--storetype PKCS12 \
-	--keystore "${MRTRUST_PFX_PATH}" \
-	--storepass env:MRTRUST_PFX_PASSWORD \
-	--tsaurl "https://timestamp.sectigo.com,http://timestamp.digicert.com" \
-	"${artifact_path}"
+work_dir="$(mktemp -d)"
+trap 'rm -rf "$work_dir"' EXIT
+
+pfx_path="$work_dir/mrtrust-codesign.pfx"
+printf '%s' "$MRTRUST_CODESIGN_PFX_BASE64" | base64 -d > "$pfx_path"
+
+timestamp_url="${MRTRUST_TIMESTAMP_URL:-http://timestamp.digicert.com}"
+
+for artifact in "$@"; do
+	if [ ! -f "$artifact" ]; then
+		echo "Artifact not found: $artifact" >&2
+		exit 2
+	fi
+
+	case "${artifact##*.}" in
+		exe | EXE | msi | MSI | dll | DLL | cat | CAT)
+			;;
+		*)
+			echo "Unsupported artifact for osslsigncode: $artifact" >&2
+			exit 2
+			;;
+	esac
+
+	signed_path="$work_dir/$(basename "$artifact").signed"
+	args=(
+		sign
+		-pkcs12 "$pfx_path"
+		-pass "$MRTRUST_CODESIGN_PFX_PASSWORD"
+		-n "MrSphay"
+		-i "https://git.wilkensxl.de/MrSphay"
+		-in "$artifact"
+		-out "$signed_path"
+	)
+
+	if [ -n "$timestamp_url" ]; then
+		args+=(-t "$timestamp_url")
+	fi
+
+	osslsigncode "${args[@]}"
+	mv "$signed_path" "$artifact"
+	echo "Signed $artifact"
+done