forked from sumatrapdfreader/sumatrapdf
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsign.go
More file actions
95 lines (85 loc) · 2.56 KB
/
sign.go
File metadata and controls
95 lines (85 loc) · 2.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package do
import (
"os"
"os/exec"
"path/filepath"
"strings"
"time"
)
func runCmdLogged(cmd *exec.Cmd) error {
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
logf("> %s\n", cmd.String())
return cmd.Run()
}
// https://zabkat.com/blog/code-signing-sha1-armageddon.htm
// signtool sign /n "subject name" /t http://timestamp.comodoca.com/authenticode myInstaller.exe
// signtool sign /n "subject name" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /as myInstaller.exe
// signtool args (https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx):
//
// /as : append signature
// /n ${name} : name of the certificate, must be installed in the cert store
// /fd ${alg} : specify digest algo, default is sha1, SHA256 is recommended
// /t ${url} : timestamp server
// /tr ${url} : timestamp rfc 3161 server
// /td ${alg} : for /tr, must be after /tr
// /du ${url} : URL for expanded description of the signed content
// /v : verbose
// /debug : show debugging info
func signFiles(dir string, files []string) error {
signtoolPath := detectSigntoolPathMust()
desc := "https://www.sumatrapdfreader.org"
signServer := "http://time.certum.pl/"
// retry 3 times because signing might fail due to temorary error
// ("The specified timestamp server either could not be reached or")
var err error
for i := 0; i < 3; i++ {
// Note: not signing with sha1 for pre-win-7
// We don't support win7 anymore
// https://files.certum.eu/documents/manual_pl/CS-Code_Signing_w_chmurze_Podpisywanie_signtool_jarsigner.pdf
// sign with sha256 for win7+ ater Jan 2016
args := []string{"sign",
"/sha1",
"e1e6883f78bf923b92f21a71fd33a452c9ed7dd0",
"/tr", signServer,
"/du", desc,
//"/n", "Krzysztof Kowalczyk",
"/td", "sha256",
"/fd", "sha256",
"/debug",
"/v",
}
args = append(args, files...)
cmd := exec.Command(signtoolPath, args...)
cmd.Dir = dir
err = runCmdLogged(cmd)
if err == nil {
return nil
}
logf("signFiles: failed with: '%s', will retry in 15 seconds\n", err)
time.Sleep(time.Second * 15)
}
return err
}
func shouldSign(f os.DirEntry) bool {
if f.IsDir() {
return false
}
ext := filepath.Ext(f.Name())
return ext == ".exe" || ext == ".msix"
}
func signExesInDir(dir string) error {
logf("signing exes in '%s'\n", dir)
files, err := os.ReadDir(dir)
if err != nil {
return err
}
var exes []string
for _, f := range files {
if shouldSign(f) {
exes = append(exes, f.Name())
}
}
logf("to sign: %s\n", strings.Join(exes, ", "))
return signFiles(dir, exes)
}