-
Notifications
You must be signed in to change notification settings - Fork 14
/
codesign.bash
executable file
·79 lines (68 loc) · 2.7 KB
/
codesign.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/env bash
# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!!
# eSignerCKAを使ってコード署名する
set -eu
if [ ! -v ESIGNERCKA_USERNAME ]; then # eSignerCKAのユーザー名
echo "ESIGNERCKA_USERNAMEが未定義です"
exit 1
fi
if [ ! -v ESIGNERCKA_PASSWORD ]; then # eSignerCKAのパスワード
echo "ESIGNERCKA_PASSWORDが未定義です"
exit 1
fi
if [ ! -v ESIGNERCKA_TOTP_SECRET ]; then # eSignerCKAのTOTP Secret
echo "ESIGNERCKA_TOTP_SECRETが未定義です"
exit 1
fi
if [ $# -ne 1 ]; then
echo "引数の数が一致しません"
exit 1
fi
target_file_glob="$1"
# eSignerCKAのセットアップ
INSTALL_DIR='..\eSignerCKA'
if [ ! -d "$INSTALL_DIR" ]; then
curl -LO "https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip"
unzip -o SSL.COM-eSigner-CKA_1.0.6.zip
mv ./*eSigner*CKA_*.exe eSigner_CKA_Installer.exe
powershell "
& ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR='$INSTALL_DIR' | Out-Null
& '$INSTALL_DIR\eSignerCKATool.exe' config -mode product -user '$ESIGNERCKA_USERNAME' -pass '$ESIGNERCKA_PASSWORD' -totp '$ESIGNERCKA_TOTP_SECRET' -key '$INSTALL_DIR\master.key' -r
& '$INSTALL_DIR\eSignerCKATool.exe' unload
"
rm SSL.COM-eSigner-CKA_1.0.6.zip eSigner_CKA_Installer.exe
fi
# 証明書を読み込む
powershell "& '$INSTALL_DIR\eSignerCKATool.exe' load"
# shellcheck disable=SC2016
THUMBPRINT=$(
powershell '
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo "$($CodeSigningCert.Thumbprint)"
'
)
# 指定ファイルに署名する
function codesign() {
TARGET="$1"
# shellcheck disable=SC2012
SIGNTOOL=$(ls "C:/Program Files (x86)/Windows Kits/"10/bin/*/x86/signtool.exe | sort -V | tail -n 1) # なぜかこれじゃないと動かない
powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /sha1 '$THUMBPRINT' '$TARGET'"
}
# 指定ファイルが署名されているか
function is_signed() {
TARGET="$1"
SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1)
powershell "& '$SIGNTOOL' verify /pa '$TARGET'" >/dev/null 2>&1 || return 1
}
# 署名されていなければ署名
# shellcheck disable=SC2012,SC2086
ls $target_file_glob | while read -r target_file; do
if is_signed "$target_file"; then
echo "署名済み: $target_file"
else
echo "署名開始: $target_file"
codesign "$target_file"
fi
done
# 証明書を破棄
powershell "& '$INSTALL_DIR\eSignerCKATool.exe' unload"