WindowsSign.cmd 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105
  1. @echo off
  2. rem
  3. rem Usage - Sign.cmd <target file>
  4. rem
  5. setlocal
  6. echo --- BEGIN: sign.bat -------------------------------------
  7. set TargetFile=%~1
  8. if not exist "%TargetFile%" (
  9. echo FATAL ERROR - %TargetFile% does not exist and cannot be signed
  10. echo --- END: sign.bat -------------------------------------
  11. exit /b 1
  12. )
  13. for %%i in ("%TargetFile%") do set TargetFileExtension="%%~xi"
  14. if "%SigningCertSha256%" == "" (
  15. set SigningCertSha256=%~dp0PlexOfficialSPC_sha256.pfx
  16. )
  17. if not exist "%SigningCertSha256%" (
  18. set SigningCertSha256=%~dp0PlexTestSPC.pfx
  19. )
  20. echo Signing with %SigningCertSha256%
  21. set TimestampErrors=0
  22. rem Create timestamp server lists... All servers on this list support both RFC 3161 and non-RFC variants
  23. set ServerListRfc3161=(http://timestamp.digicert.com,http://timestamp.globalsign.com/scripts/timestamp.dll,http://timestamp.comodoca.com)
  24. rem Signing files SHA256 with the SHA256 cert
  25. echo Adding SHA256 signature to %TargetFile%...
  26. call :SignFile "%SigningCertSha256%" "%SigningCertPasswordSha256%" sha256 0 "%TargetFile%" "%ServerListRfc3161%" sha256
  27. if errorlevel 1 goto SignFailed
  28. echo Verifying signature...
  29. signtool.exe verify /pa "%TargetFile%"
  30. if errorlevel 1 (
  31. echo FATAL ERROR - could not verify signature for %TargetFile%. There were %TimestampErrors% timestamping errors.
  32. echo --- END: sign.bat ------------------------------------------------------------
  33. exit /b 1
  34. ) else (
  35. echo --- END: sign.bat ------------------------------------------------------------
  36. exit /b 0
  37. )
  38. :SignFailed
  39. REM return an error code...
  40. echo FAILED: FATAL ERROR - signing %TargetFile% failed. There were %TimestampErrors% timestamping errors.
  41. echo --- END: sign.bat -------------------------------------------------------------
  42. exit /b 1
  43. rem When timestamping a file, signtool will fail when the timestamp server doesn't respond. So we retry in a loop, in an attempt to reduce spurious failures.
  44. rem When running signtool, we redirect output to null because signtool.exe may inadvertently output the word "error", causing msbuild to fail the build.
  45. :SignFile
  46. setlocal
  47. set CertFilePath=%1
  48. set CertPassword=%~2
  49. set SignatureHashAlgorithm=%3
  50. set AppendSignature=%4
  51. set TargetFilePath=%5
  52. set TimestampServerList=%~6
  53. set Rfc3161HashAlgorithm=%7
  54. rem Compute password args
  55. if "%CertPassword%" neq "" (
  56. set PasswordArgs=/p %CertPassword%
  57. ) else (
  58. set PasswordArgs=
  59. )
  60. rem Compute append args
  61. if "%AppendSignature%" == "1" (
  62. set AppendSignatureArgs=/as
  63. ) else (
  64. set AppendSignatureArgs=
  65. )
  66. rem Compute timestamp server args
  67. set TimestampArg1=/tr
  68. set TimestampArg2=/td %Rfc3161HashAlgorithm%
  69. for /L %%a in (1,1,300) do (
  70. for %%s in %TimestampServerList% do (
  71. rem echo signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath%
  72. signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath% > NUL 2>&1
  73. if errorlevel 0 if not errorlevel 1 goto SignFileSuccess
  74. echo Signing attempt %%a failed. Probably cannot find the timestamp server at %%s
  75. set /a TimestampErrors+=1
  76. )
  77. echo Waiting 1 second...
  78. choice /N /T:1 /D:Y >NUL
  79. )
  80. endlocal
  81. exit /b 1
  82. :SignFileSuccess
  83. echo Signing succeeded
  84. endlocal
  85. exit /b 0