1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#!/bin/bash
# usage: script/sign <file>
#
# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
# Windows EXE and MSI files using osslsigncode.
#
set -e
sign_windows() {
if [ -z "$CERT_FILE" ]; then
echo "skipping Windows code-signing; CERT_FILE not set" >&2
return 0
fi
if [ ! -f "$CERT_FILE" ]; then
echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
return 1
fi
if [ -z "$CERT_PASSWORD" ]; then
echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
return 1
fi
osslsigncode sign -n "GitHub CLI" -t http://timestamp.digicert.com \
-pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
-in "$1" -out "$1"~
mv "$1"~ "$1"
}
sign_macos() {
if [ -z "$APPLE_DEVELOPER_ID" ]; then
echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
return 0
fi
if [[ $1 == *.zip ]]; then
xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
else
codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
fi
}
if [ $# -eq 0 ]; then
echo "usage: script/sign <file>" >&2
exit 1
fi
platform="$(uname -s)"
for input_file; do
case "$input_file" in
*.exe | *.msi )
sign_windows "$input_file"
;;
* )
if [ "$platform" = "Darwin" ]; then
sign_macos "$input_file"
else
printf "warning: don't know how to sign %s on %s\n" "$1", "$platform" >&2
fi
;;
esac
done
|
