66 lines
1.4 KiB
Bash
66 lines
1.4 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if [ "$#" -lt 1 ]; then
|
|
echo "Usage: sign-windows-artifact.sh <artifact> [artifact...]" >&2
|
|
exit 2
|
|
fi
|
|
|
|
if [ -z "${MRTRUST_CODESIGN_PFX_BASE64:-}" ]; then
|
|
echo "MRTRUST_CODESIGN_PFX_BASE64 is required." >&2
|
|
exit 2
|
|
fi
|
|
|
|
if [ -z "${MRTRUST_CODESIGN_PFX_PASSWORD:-}" ]; then
|
|
echo "MRTRUST_CODESIGN_PFX_PASSWORD is required." >&2
|
|
exit 2
|
|
fi
|
|
|
|
if ! command -v osslsigncode >/dev/null 2>&1; then
|
|
echo "osslsigncode is required for MrTrust Ubuntu runner signing." >&2
|
|
exit 2
|
|
fi
|
|
|
|
work_dir="$(mktemp -d)"
|
|
trap 'rm -rf "$work_dir"' EXIT
|
|
|
|
pfx_path="$work_dir/mrtrust-codesign.pfx"
|
|
printf '%s' "$MRTRUST_CODESIGN_PFX_BASE64" | base64 -d > "$pfx_path"
|
|
|
|
timestamp_url="${MRTRUST_TIMESTAMP_URL:-http://timestamp.digicert.com}"
|
|
|
|
for artifact in "$@"; do
|
|
if [ ! -f "$artifact" ]; then
|
|
echo "Artifact not found: $artifact" >&2
|
|
exit 2
|
|
fi
|
|
|
|
case "${artifact##*.}" in
|
|
exe | EXE | msi | MSI | dll | DLL | cat | CAT)
|
|
;;
|
|
*)
|
|
echo "Unsupported artifact for osslsigncode: $artifact" >&2
|
|
exit 2
|
|
;;
|
|
esac
|
|
|
|
signed_path="$work_dir/$(basename "$artifact").signed"
|
|
args=(
|
|
sign
|
|
-pkcs12 "$pfx_path"
|
|
-pass "$MRTRUST_CODESIGN_PFX_PASSWORD"
|
|
-n "MrSphay"
|
|
-i "https://git.wilkensxl.de/MrSphay"
|
|
-in "$artifact"
|
|
-out "$signed_path"
|
|
)
|
|
|
|
if [ -n "$timestamp_url" ]; then
|
|
args+=(-t "$timestamp_url")
|
|
fi
|
|
|
|
osslsigncode "${args[@]}"
|
|
mv "$signed_path" "$artifact"
|
|
echo "Signed $artifact"
|
|
done
|