Skip to content

Commit

Permalink
Generalize code signing script
Browse files Browse the repository at this point in the history
It now supports macOS (where there are several steps),
as well as Linux (where there are no steps whatsoever).
  • Loading branch information
ctrueden committed Jan 4, 2025
1 parent cfc3ea5 commit bd7671b
Showing 2 changed files with 91 additions and 37 deletions.
107 changes: 70 additions & 37 deletions bin/sign.sh
100644 → 100755
Original file line number Diff line number Diff line change
@@ -6,41 +6,74 @@ echo -e "\033[1;33m[sign]\033[0m"

appDir=app

if [ ! "$THUMBPRINT" ]; then
echo "[ERROR] THUMBPRINT environment variable unset; cannot sign EXEs."
exit 1
fi

# Find the correct signtool.exe.
arch=$(uname -m)
case "$arch" in
x86_64) arch=x64 ;;
sign_linux() {
echo "[INFO] Signing complete! Nothing was signed, because Linux binaries just work,"
echo "[INFO] without invasively asking for permission from corporate overlords."
}

sign_macos() {
if [ ! "$DEV_ID" ]
then
echo "[ERROR] DEV_ID environment variable unset; cannot sign executables."
exit 1
fi
for exe in "$appDir/Contents/MacOS/"*-macos-*
do
codesign --force --options runtime \
--entitlements sign/entitlements.plist \
--sign "$DEV_ID" "$exe"
codesign -vv "$exe"
done

echo "[INFO] Signing complete!"
}

sign_windows() {
if [ ! "$THUMBPRINT" ]; then
echo "[ERROR] THUMBPRINT environment variable unset; cannot sign EXEs."
exit 1
fi

# Find the correct signtool.exe.
arch=$(uname -m)
case "$arch" in
x86_64) arch=x64 ;;
esac
signtool=$(
find '/c/Program Files'*'/Windows Kits' -name signtool.exe |
grep "/$arch/" | head -n1
)

if [ -f "$signtool" ]
then
echo "Found signtool.exe at: $signtool"
else
echo "[ERROR] signtool.exe not found at: $signtool"
exit 1
fi

if [ ! "$TIMESTAMP_SERVER" ]; then
TIMESTAMP_SERVER="http://time.certum.pl/"
fi

"$signtool" sign /sha1 "$THUMBPRINT" \
/tr "$TIMESTAMP_SERVER" \
/td SHA256 /fd SHA256 /v \
"$appDir\\"*.exe \
"$appDir\\jaunch\\jaunch-windows-"*.exe &&

"$signtool" verify /pa /all \
"$appDir\\"*.exe \
"$appDir\\jaunch\\jaunch-windows-"*.exe

echo "[INFO] Signing complete!"
}

case "$(uname -s)" in
Linux) sign_linux ;;
Darwin) sign_macos ;;
MINGW*|MSYS*) sign_windows ;;
*)
echo "[WARNING] Don't know how to sign binaries for platform: $(uname -s)"
;;
esac
signtool=$(
find '/c/Program Files'*'/Windows Kits' -name signtool.exe |
grep "/$arch/" | head -n1
)

if [ -f "$signtool" ]
then
echo "Found signtool.exe at: $signtool"
else
echo "[ERROR] signtool.exe not found at: $signtool"
exit 1
fi

if [ ! "$TIMESTAMP_SERVER" ]; then
TIMESTAMP_SERVER="http://time.certum.pl/"
fi

"$signtool" sign /sha1 "$THUMBPRINT" \
/tr "$TIMESTAMP_SERVER" \
/td SHA256 /fd SHA256 /v \
"$appDir\\"*.exe \
"$appDir\\jaunch\\jaunch-windows-"*.exe &&

"$signtool" verify /pa /all \
"$appDir\\"*.exe \
"$appDir\\jaunch\\jaunch-windows-"*.exe

echo "Signing complete!"
21 changes: 21 additions & 0 deletions sign/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!--
Note: This list of entitlements matches those from macOS Java and
Python distributions. Without them, many features of the runtimes,
or even linking to the runtimes at all, will not function on macOS.
-->
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>

0 comments on commit bd7671b

Please sign in to comment.