diff --git a/_build.sh b/_build.sh index 60e748d82..726c8f350 100755 --- a/_build.sh +++ b/_build.sh @@ -454,7 +454,11 @@ fi if [ "${_OS}" = 'win' ] && \ [ -s "${SIGN_CODE_KEY}" ]; then if command -v osslsigncode >/dev/null 2>&1; then - osslsigncode --version # We need 2.2 or newer + export _OSSLSIGNCODE=osslsigncode + "${_OSSLSIGNCODE}" --version # We need 2.2 or newer + elif [ -x "$(pwd)/osslsigncode-local" ]; then + export _OSSLSIGNCODE; _OSSLSIGNCODE="$(pwd)/osslsigncode-local" + "${_OSSLSIGNCODE}" --version elif [ -n "${SIGN_PKG_KEY_PASS:+1}" ]; then unset SIGN_CODE_KEY_PASS echo "! WARNING: osslsigncode not found, code signing disabled." diff --git a/_dl.sh b/_dl.sh index 662979e56..2d54e3f71 100755 --- a/_dl.sh +++ b/_dl.sh @@ -127,6 +127,11 @@ cat </dev/null 2>&1; then + live_dl osslsigncode "${OSSLSIGNCODE_VER_}" + live_xt osslsigncode "${OSSLSIGNCODE_HASH}" + ./osslsigncode.sh "${OSSLSIGNCODE_VER_}" +fi + rm -r -f "${gpgdir:?}" diff --git a/_sign-code.sh b/_sign-code.sh index 204d51e75..755aef121 100755 --- a/_sign-code.sh +++ b/_sign-code.sh @@ -11,7 +11,8 @@ set -o xtrace -o errexit -o nounset; [ -n "${BASH:-}${ZSH_NAME:-}" ] && set -o p # Linux: https://stackoverflow.com/questions/1732927/signed-executables-under-linux if [ "${_OS}" = 'win' ] && \ [ -s "${SIGN_CODE_KEY}" ] && \ - [ -n "${SIGN_CODE_KEY_PASS:+1}" ]; then + [ -n "${SIGN_CODE_KEY_PASS:+1}" ] && \ + [ -n "${_OSSLSIGNCODE}" ]; then _ref="$1" shift @@ -26,7 +27,7 @@ if [ "${_OS}" = 'win' ] && \ echo "Code signing: '${file}'" # Requires: osslsigncode 2.4 or newer # -ts 'https://freetsa.org/tsr' - osslsigncode sign \ + "${_OSSLSIGNCODE}" sign \ -h sha512 \ -in "${file}" -out "${file}-signed" \ -time "${unixts}" \ @@ -34,7 +35,7 @@ if [ "${_OS}" = 'win' ] && \ ${SIGN_CODE_KEY_PASS} EOF # # Create detached code signature: - # osslsigncode extract-signature \ + # "${_OSSLSIGNCODE}" extract-signature \ # -in "${file}-signed" \ # -out "${file}.p7" cp -f "${file}-signed" "${file}" diff --git a/_versions.sh b/_versions.sh index 10d801120..53575e84b 100755 --- a/_versions.sh +++ b/_versions.sh @@ -42,6 +42,8 @@ export BORINGSSL_VER_='2db0eb3f96a5756298dcd7f9319e56a98585bd10' export BORINGSSL_HASH=cd240bf27450f75cd5f41c512a06297c00646cdbac9f87b604e9312771db15a6 export LIBRESSL_VER_='3.9.2' export LIBRESSL_HASH=7b031dac64a59eb6ee3304f7ffb75dad33ab8c9d279c847f92c89fb846068f97 +export OSSLSIGNCODE_VER_='2.8.0' +export OSSLSIGNCODE_HASH=d275d86bf0a8094e2c2ea451065299f965238be3cfaf3af6aff276302d759354 export ZLIBNG_VER_='2.1.6' export ZLIBNG_HASH=a5d504c0d52e2e2721e7e7d86988dec2e290d723ced2307145dedd06aeb6fef2 export ZLIB_VER_='1.3.1' diff --git a/osslsigncode.sh b/osslsigncode.sh new file mode 100755 index 000000000..32102146e --- /dev/null +++ b/osslsigncode.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Copyright (C) Viktor Szakats. See LICENSE.md +# SPDX-License-Identifier: MIT + +# shellcheck disable=SC3040,SC2039 +set -o xtrace -o errexit -o nounset; [ -n "${BASH:-}${ZSH_NAME:-}" ] && set -o pipefail + +_NAM="$(basename "$0" | cut -f 1 -d '.')" +_VER="$1" + +( + cd "${_NAM}" || exit 0 + + gcc -O3 \ + osslsigncode.c helpers.c utf.c msi.c pe.c cab.c cat.c appx.c script.c \ + -o ../osslsigncode-local \ + -DHAVE_SYS_MMAN_H \ + -lcrypto -lz +)