#!/bin/sh # gpg-authcode-sign.sh - Wrapper for osslsigncode # Copyright (C) 2024 g10 Code GmbH # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. VERSION=2024-06-10 PGM=gpg-authcode-sign.sh set -e usage() { cat <&2 ;; *) break ;; esac shift done if [ $# -ne 2 ]; then usage 1 1>&2 fi inname="$1" outname="$2" shift if [ ! -f $autogenrc ]; then echo >&2 "$PGM: error: '$autogenrc' missing" echo >&2 "$PGM: hint: use option --template" exit 1 fi # Define the cleanup routine for osslsigncode cleanup() { if [ -n "$outname" -a -f "${outname}.tmp" ]; then echo >&2 "Cleaning up: Removing ${outname}.tmp" rm -f "${outname}.tmp" fi } # Trap common signals and exit to run the cleanup trap cleanup 0 INT TERM for v in AUTHENTICODE_SIGNHOST AUTHENTICODE_TOOL AUTHENTICODE_TSURL \ AUTHENTICODE_KEY AUTHENTICODE_CERTS VERSION_SIGNKEY \ OSSLSIGNCODE OSSLPKCS11ENGINE SCUTEMODULE ; do eval $v=$(grep '^[[:blank:]]*'$v'[[:blank:]]*=' "$autogenrc"|cut -d= -f2\ |sed -e 's,\\,\\\\,g'| sed -e 's,^",'\', -e 's,"$,'\',) done if [ "$stamp" = yes ]; then if [ "$outname.asig-done" -nt "$outname" ]; then echo >&2 "$PGM: file is '$outname' is already signed" exit 0 fi fi waittime=2 if [ -n "$dryrun" ]; then echo >&2 "$PGM: would sign: '$inname' to '$outname'" elif [ $(wc -c < "$inname" ) -lt 256 ]; then echo >&2 "$PGM: skipping '$inname' which is too short" elif [ -n "$AUTHENTICODE_SIGNHOST" ]; then echo >&2 "$PGM: Signing via host $AUTHENTICODE_SIGNHOST" scp "$inname" "$AUTHENTICODE_SIGNHOST:a.exe" # Invoke command on Windows via ssh ssh "$AUTHENTICODE_SIGNHOST" \""$AUTHENTICODE_TOOL"\" sign \ /v /sm \ /a /n '"g10 Code GmbH"' \ /tr \""$AUTHENTICODE_TSURL"\" /td sha256 \ /d \""$desc"\" \ /fd sha256 /du https://gnupg.com a.exe scp "$AUTHENTICODE_SIGNHOST:a.exe" "$outname" elif [ "$AUTHENTICODE_KEY" = card ]; then echo >&2 "$PGM: Signing using a card: '$inname'" if echo "$inname" | egrep 'dll-e?x$' >/dev/null ; then # osslsignecode does not like *.dll-x and *.dll-ex cp "$inname" "$inname.tmp.dll" inname="$inname.tmp.dll" fi while ! "$OSSLSIGNCODE" sign \ -pkcs11engine "$OSSLPKCS11ENGINE" \ -pkcs11module "$SCUTEMODULE" \ -certs "$AUTHENTICODE_CERTS" \ -h sha256 -n "$desc" -i "$url" \ -ts "$AUTHENTICODE_TSURL" \ -in "$inname" -out "$outname.tmp" 2> $outname.tmp.log ; do cat >&2 $outname.tmp.log if ! grep 'HTTP status 500' $outname.tmp.log >/dev/null ; then echo >&2 "$PGM: signing failed - see above" exit 2 fi if [ $waittime -ge 32 ]; then echo >&2 "$PGM: signing failed - giving up" exit 2 fi echo >&2 "$PGM: signing failed - waiting ${waittime}s before next try" sleep $waittime waittime=$(( $waittime * 2 )) done [ -f "$inname.tmp.dll" ] && rm "$inname.tmp.dll" rm "$outname.tmp.log" cp "$outname.tmp" "$outname" rm "$outname.tmp" elif [ "$AUTHENTICODE_KEY" = none ]; then echo >&2 "$PGM: Signing disabled; would sign: '$inname'" [ "$inname" != "$outname" ] && cp "$inname" "$outname" elif [ -n $(echo "$AUTHENTICODE_KEY" | egrep "\.(pfx|p12)$") ]; then echo >&2 "$PGM: Signing using PKCS#12 container $AUTHENTICODE_KEY" osslsigncode sign -certs "$AUTHENTICODE_CERTS" \ -pkcs12 "$AUTHENTICODE_KEY" -askpass \ -ts "$AUTHENTICODE_TSURL" \ -h sha256 -n "$desc" -i "$url" \ -in "$inname" -out "$outname.tmp" cp "$outname.tmp" "$outname" rm "$outname.tmp" else echo >&2 "$PGM: Signing using unprotected key $AUTHENTICODE_KEY" osslsigncode sign -certs "$AUTHENTICODE_CERTS" \ -key "$AUTHENTICODE_KEY" \ -ts "$AUTHENTICODE_TSURL" \ -h sha256 -n "$desc" -i "$url" \ -in "$inname" -out "$outname.tmp" cp "$outname.tmp" "$outname" rm "$outname.tmp" fi if [ -z "$dryrun" ]; then [ "$stamp" = yes ] && touch "$outname.asig-done" echo >&2 "$PGM: signed file is '$outname'" fi # eof