File: sign.sh

package info (click to toggle)
renderdoc 1.2%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 79,584 kB
  • sloc: cpp: 491,671; ansic: 285,823; python: 12,617; java: 11,345; cs: 7,181; makefile: 6,703; yacc: 5,682; ruby: 4,648; perl: 3,461; php: 2,119; sh: 2,068; lisp: 1,835; tcl: 1,068; ml: 747; xml: 137
file content (84 lines) | stat: -rwxr-xr-x 2,599 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
#!/bin/bash
# Script to sign a file using the key.pfx certificate
if [ $# -ne 1 ] ; then
   echo Usage: $0 file
   exit 1
fi

# Make sure the file exists
if [ ! -f $1 ] ; then
   echo File $1 does not exist
   exit 1
fi

if ! which signtool.exe >/dev/null 2>&1; then
   echo "Can't find signtool.exe in PATH"
   exit 0
fi

if [ ! -f "${BUILD_ROOT}"/support/key.pass ] || [ ! -f "${BUILD_ROOT}"/support/key.pfx ] ; then
   echo Key key.pfx / key.pass does not exist
   exit 1
fi

PASS=$(cat "${BUILD_ROOT}"/support/key.pass)
KEYFILE="${BUILD_ROOT}"/support/key.pfx
INPUTFILE="$1"

# Don't convert any arguments automatically, convert paths if needed
MSYS2_ARG_CONV_EXCL="*"

KEYFILE=$(native_path "${KEYFILE}")
INPUTFILE=$(native_path "${INPUTFILE}")

# First check to see if it is already signed.
# An exit value of 1 from signtool indicates it is not signed.
signtool.exe verify /pa "$INPUTFILE" >/dev/null 2>&1
if [ $? -eq 1 ] ; then

    # This is the list of timestamp servers to try.
    # Sometime the signing operation fails because we can't contact the
    # timestamp server, so we try several servers.
    TSSLIST=(
        http://timestamp.comodoca.com/rfc3161
        http://timestamp.digicert.com
        http://tsa.starfieldtech.com
        http://timestamp.geotrust.com/tsa)

    TSS=${TSSLIST[0]}
    echo Signing $INPUTFILE using timestamp server $TSS ...
    sleep 1
    signtool.exe sign /d RenderDoc /f "${KEYFILE}" /fd sha256 /p $PASS /tr $TSS /td sha256 "${INPUTFILE}"
    if [ $? -eq 0 ] ; then
       # Successfully signed, return success
       exit 0
    fi

    for RETRY in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ; do

        # Sometimes signtool returns failure, but the file was already signed.
        # Not sure why that happens. Since the file is now signed, return successs.
        sleep 1
        signtool.exe verify /pa "$INPUTFILE" >/dev/null 2>&1
        if [ $? -eq 0 ] ; then
           echo Signing returned failure, but file was signed. Returning success.
           exit 0
        fi

        # Retry with a different timestamp server.
        TSS=${TSSLIST[`expr $RETRY % ${#TSSLIST[@]}`]}
        echo Signing failed, retry $RETRY. Using timestamp server $TSS ...
        sleep 4
        echo Retrying signing of $1
        signtool.exe sign /d RenderDoc /f "${KEYFILE}" /p $PASS /tr $TSS  "${INPUTFILE}"
        if [ $? -eq 0 ] ; then
           # Successfully signed, return success
           exit 0
        fi
    done
    # We didn't sign the file succesfully
    exit 1
else
    echo Signing of $INPUTFILE skipped, already signed...
    exit 0
fi