1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

build-aux: Add PKCS#8 authenticode key support

* tools/gpg-authcode-sign.sh: Assume PKCS#8 if the key file
does not end with .p12 or .pfx.

--
Since using encrypted PKCS#12 containers with askpass
is unpractical when signing many files. This adds support
to use an PKCS#8 key for codesigning.
This commit is contained in:
Andre Heinecke 2024-08-13 12:34:23 +02:00
parent 536fc8d33d
commit 3d015d106f
No known key found for this signature in database
GPG Key ID: 2978E9D40CBABA5C

View File

@ -261,9 +261,9 @@ elif [ "$AUTHENTICODE_KEY" = none ]; then
echo >&2 "$PGM: Signing disabled; would sign: '$inname'" echo >&2 "$PGM: Signing disabled; would sign: '$inname'"
[ "$inname" != "$outname" ] && cp "$inname" "$outname" [ "$inname" != "$outname" ] && cp "$inname" "$outname"
else elif [[ "$AUTHENTICODE_KEY" =~ \.p12$ || "$AUTHENTICODE_KEY" =~ \.pfx$ ]]; then
echo >&2 "$PGM: Signing using key $AUTHENTICODE_KEY" echo >&2 "$PGM: Signing using PKCS#12 container $AUTHENTICODE_KEY"
osslsigncode sign -certs "$AUTHENTICODE_CERTS" \ osslsigncode sign -certs "$AUTHENTICODE_CERTS" \
-pkcs12 "$AUTHENTICODE_KEY" -askpass \ -pkcs12 "$AUTHENTICODE_KEY" -askpass \
-ts "$AUTHENTICODE_TSURL" \ -ts "$AUTHENTICODE_TSURL" \
@ -272,6 +272,17 @@ else
cp "$outname.tmp" "$outname" cp "$outname.tmp" "$outname"
rm "$outname.tmp" rm "$outname.tmp"
else
echo >&2 "$PGM: Signing using unprotected key $AUTHENTICODE_KEY"
osslsigncode sign -certs "$AUTHENTICODE_CERTS" \
-key "$AUTHENTICODE_KEY" \
-ts "$AUTHENTICODE_TSURL" \
-h sha256 -n "$desc" -i "$url" \
-in "$inname" -out "$outname.tmp"
cp "$outname.tmp" "$outname"
rm "$outname.tmp"
fi fi
if [ -z "$dryrun" ]; then if [ -z "$dryrun" ]; then