Sign Windows releases with MrTrust certificate

2026-05-16 01:15:02 +02:00
parent 312dee9f24
commit e66aa3d128
8 changed files with 82 additions and 14 deletions
--- a/apps/app/scripts/sign-windows-artifact.sh
+++ b/apps/app/scripts/sign-windows-artifact.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+artifact_path="${1:-}"
+if [ -z "${artifact_path}" ]; then
+	echo "No artifact path was provided for signing." >&2
+	exit 1
+fi
+
+if [ -z "${JSIGN_JAR:-}" ] || [ ! -f "${JSIGN_JAR}" ]; then
+	echo "JSIGN_JAR must point to the downloaded jsign jar." >&2
+	exit 1
+fi
+
+if [ -z "${MRTRUST_PFX_PATH:-}" ] || [ ! -f "${MRTRUST_PFX_PATH}" ]; then
+	echo "MRTRUST_PFX_PATH must point to the MrTrust code-signing PFX." >&2
+	exit 1
+fi
+
+if [ -z "${MRTRUST_PFX_PASSWORD:-}" ]; then
+	echo "MRTRUST_PFX_PASSWORD must be set." >&2
+	exit 1
+fi
+
+java -jar "${JSIGN_JAR}" sign \
+	--verbose \
+	--storetype PKCS12 \
+	--keystore "${MRTRUST_PFX_PATH}" \
+	--storepass env:MRTRUST_PFX_PASSWORD \
+	--tsaurl "https://timestamp.sectigo.com,http://timestamp.digicert.com" \
+	"${artifact_path}"