@echo off rem rem Usage - Sign.cmd rem setlocal echo --- BEGIN: sign.bat ------------------------------------- set TargetFile=%~1 if not exist "%TargetFile%" ( echo FATAL ERROR - %TargetFile% does not exist and cannot be signed echo --- END: sign.bat ------------------------------------- exit /b 1 ) for %%i in ("%TargetFile%") do set TargetFileExtension="%%~xi" if "%SigningCertSha256%" == "" ( set SigningCertSha256=%~dp0PlexOfficialSPC_sha256.pfx ) if not exist "%SigningCertSha256%" ( set SigningCertSha256=%~dp0PlexTestSPC.pfx ) echo Signing with %SigningCertSha256% set TimestampErrors=0 rem Create timestamp server lists... All servers on this list support both RFC 3161 and non-RFC variants set ServerListRfc3161=(http://timestamp.digicert.com,http://timestamp.globalsign.com/scripts/timestamp.dll,http://timestamp.comodoca.com) rem Signing files SHA256 with the SHA256 cert echo Adding SHA256 signature to %TargetFile%... call :SignFile "%SigningCertSha256%" "%SigningCertPasswordSha256%" sha256 0 "%TargetFile%" "%ServerListRfc3161%" sha256 if errorlevel 1 goto SignFailed echo Verifying signature... signtool.exe verify /pa "%TargetFile%" if errorlevel 1 ( echo FATAL ERROR - could not verify signature for %TargetFile%. There were %TimestampErrors% timestamping errors. echo --- END: sign.bat ------------------------------------------------------------ exit /b 1 ) else ( echo --- END: sign.bat ------------------------------------------------------------ exit /b 0 ) :SignFailed REM return an error code... echo FAILED: FATAL ERROR - signing %TargetFile% failed. There were %TimestampErrors% timestamping errors. echo --- END: sign.bat ------------------------------------------------------------- exit /b 1 rem When timestamping a file, signtool will fail when the timestamp server doesn't respond. So we retry in a loop, in an attempt to reduce spurious failures. rem When running signtool, we redirect output to null because signtool.exe may inadvertently output the word "error", causing msbuild to fail the build. :SignFile setlocal set CertFilePath=%1 set CertPassword=%~2 set SignatureHashAlgorithm=%3 set AppendSignature=%4 set TargetFilePath=%5 set TimestampServerList=%~6 set Rfc3161HashAlgorithm=%7 rem Compute password args if "%CertPassword%" neq "" ( set PasswordArgs=/p %CertPassword% ) else ( set PasswordArgs= ) rem Compute append args if "%AppendSignature%" == "1" ( set AppendSignatureArgs=/as ) else ( set AppendSignatureArgs= ) rem Compute timestamp server args set TimestampArg1=/tr set TimestampArg2=/td %Rfc3161HashAlgorithm% for /L %%a in (1,1,300) do ( for %%s in %TimestampServerList% do ( rem echo signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath% signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath% > NUL 2>&1 if errorlevel 0 if not errorlevel 1 goto SignFileSuccess echo Signing attempt %%a failed. Probably cannot find the timestamp server at %%s set /a TimestampErrors+=1 ) echo Waiting 1 second... choice /N /T:1 /D:Y >NUL ) endlocal exit /b 1 :SignFileSuccess echo Signing succeeded endlocal exit /b 0