mirror of
https://github.com/baldurk/renderdoc.git
synced 2026-05-04 17:10:47 +00:00
baldurk
109 lines
3.2 KiB
Bash
Executable File
109 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Script to sign a file using the key.pfx certificate
|
|
if [ $# -ne 1 ] ; then
|
|
echo Usage: $0 file
|
|
exit 1
|
|
fi
|
|
|
|
# Make sure the file exists
|
|
if [ ! -f $1 ] ; then
|
|
echo File $1 does not exist
|
|
exit 1
|
|
fi
|
|
|
|
if ! which signtool.exe >/dev/null 2>&1; then
|
|
echo "Can't find signtool.exe in PATH"
|
|
exit 0
|
|
fi
|
|
|
|
PRIVATE_SIGN=0
|
|
CLOUD_SIGN=0
|
|
if [ -f "${BUILD_ROOT}"/support/key.pass ] && [ -f "${BUILD_ROOT}"/support/key.pfx ] ; then
|
|
PRIVATE_SIGN=1
|
|
echo Using private key signing with key.pfx and key.pass
|
|
|
|
PASS=$(cat "${BUILD_ROOT}"/support/key.pass)
|
|
|
|
KEYFILE="${BUILD_ROOT}"/support/key.pfx
|
|
KEYFILE=$(native_path "${KEYFILE}")
|
|
elif [ -f "${BUILD_ROOT}"/support/key.name ] && [ -f "${BUILD_ROOT}"/support/public.crt ] ; then
|
|
CLOUD_SIGN=1
|
|
echo Using cloud signing with key.name and public.crt
|
|
|
|
KEYNAME=$(cat "${BUILD_ROOT}"/support/key.name)
|
|
PUBFILE="${BUILD_ROOT}"/support/public.crt
|
|
PUBFILE=$(native_path "${PUBFILE}")
|
|
else
|
|
echo No signing mechanism found, expected key.pfx+key.pass or key.name+public.crt
|
|
exit 1
|
|
fi
|
|
|
|
sign_file() {
|
|
if [ "$PRIVATE_SIGN" == "1" ]; then
|
|
signtool.exe sign /d RenderDoc /f "${KEYFILE}" /fd sha256 /p $PASS /tr $TSS /td sha256 "${INPUTFILE}"
|
|
elif [ "$CLOUD_SIGN" == "1" ]; then
|
|
timeout 5 signtool.exe sign /d RenderDoc /f "${PUBFILE}" /fd sha256 /tr $TSS /td sha256 /csp "Google Cloud KMS Provider" /kc "${KEYNAME}" "${INPUTFILE}"
|
|
fi
|
|
signtool.exe verify /pa "$INPUTFILE" >/dev/null 2>&1
|
|
return $?
|
|
}
|
|
|
|
INPUTFILE="$1"
|
|
|
|
# Don't convert any arguments automatically, convert paths if needed
|
|
MSYS2_ARG_CONV_EXCL="*"
|
|
|
|
INPUTFILE=$(native_path "${INPUTFILE}")
|
|
|
|
# First check to see if it is already signed.
|
|
# An exit value of 1 from signtool indicates it is not signed.
|
|
signtool.exe verify /pa "$INPUTFILE" >/dev/null 2>&1
|
|
if [ $? -eq 1 ] ; then
|
|
|
|
# This is the list of timestamp servers to try.
|
|
# Sometime the signing operation fails because we can't contact the
|
|
# timestamp server, so we try several servers.
|
|
TSSLIST=(
|
|
http://timestamp.comodoca.com/rfc3161
|
|
http://timestamp.digicert.com
|
|
http://tsa.starfieldtech.com
|
|
http://timestamp.geotrust.com/tsa)
|
|
|
|
TSS=${TSSLIST[0]}
|
|
echo Signing $INPUTFILE using timestamp server $TSS ...
|
|
sleep 1
|
|
sign_file
|
|
if [ $? -eq 0 ] ; then
|
|
# Successfully signed, return success
|
|
exit 0
|
|
fi
|
|
|
|
for RETRY in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ; do
|
|
|
|
# Sometimes signtool returns failure, but the file was already signed.
|
|
# Not sure why that happens. Since the file is now signed, return successs.
|
|
sleep 1
|
|
signtool.exe verify /pa "$INPUTFILE" >/dev/null 2>&1
|
|
if [ $? -eq 0 ] ; then
|
|
echo Signing returned failure, but file was signed. Returning success.
|
|
exit 0
|
|
fi
|
|
|
|
# Retry with a different timestamp server.
|
|
TSS=${TSSLIST[`expr $RETRY % ${#TSSLIST[@]}`]}
|
|
echo Signing failed, retry $RETRY. Using timestamp server $TSS ...
|
|
sleep 4
|
|
echo Retrying signing of $1
|
|
sign_file
|
|
if [ $? -eq 0 ] ; then
|
|
# Successfully signed, return success
|
|
exit 0
|
|
fi
|
|
done
|
|
# We didn't sign the file succesfully
|
|
exit 1
|
|
else
|
|
echo Signing of $INPUTFILE skipped, already signed...
|
|
exit 0
|
|
fi
|