WindowsSign.cmd 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136
  1. @echo off
  2. rem
  3. rem Usage - Sign.cmd <target file>
  4. rem
  5. setlocal
  6. echo --- BEGIN: sign.bat -------------------------------------
  7. set TargetFile=%~1
  8. if not exist "%TargetFile%" (
  9. echo FATAL ERROR - %TargetFile% does not exist and cannot be signed
  10. echo --- END: sign.bat -------------------------------------
  11. exit /b 1
  12. )
  13. for %%i in ("%TargetFile%") do set TargetFileExtension="%%~xi"
  14. if "%SigningCertSha1%" == "" (
  15. set SigningCertSha1=%~dp0PlexOfficialSPC_sha1.pfx
  16. )
  17. if "%SigningCertSha256%" == "" (
  18. set SigningCertSha2=%~dp0PlexOfficialSPC_sha256.pfx
  19. )
  20. if not exist "%SigningCertSha1%" (
  21. set SigningCertSha1=%~dp0PlexTestSPC.pfx
  22. )
  23. if not exist "%SigningCertSha256%" (
  24. set SigningCertSha256=%~dp0PlexTestSPC.pfx
  25. )
  26. echo Signing with %SigningCertSha1% and %SigningCertSha256%
  27. set TimestampErrors=0
  28. rem Create timestamp server lists... All servers on this list support both RFC 3161 and non-RFC variants
  29. set ServerListRfc3161=(http://timestamp.digicert.com,http://timestamp.globalsign.com/scripts/timestamp.dll,http://timestamp.comodoca.com)
  30. set ServerListNonRfc3161=%ServerListRfc3161%
  31. if %TargetFileExtension% == ".msi" (
  32. rem To sign MSI files, which only support one signature, we sign SHA1 with the SHA256 cert.
  33. rem This allows us to continue supporting Windows Vista.
  34. echo Adding SHA1 signature to MSI file %TargetFile%...
  35. call :SignFile "%SigningCertSha256%" "%SigningCertPasswordSha256%" sha1 0 "%TargetFile%" "%ServerListNonRfc3161%" 0 sha1
  36. if errorlevel 1 goto SignFailed
  37. ) else (
  38. rem To sign normal files, which support multiple signatures, we sign SHA1 with the SHA1 cert and SHA256 with the SHA256 cert
  39. rem This too allows us to continue supporting Windows Vista.
  40. echo Adding SHA1 signature to %TargetFile%...
  41. call :SignFile "%SigningCertSha1%" "%SigningCertPasswordSha1%" sha1 0 "%TargetFile%" "%ServerListNonRfc3161%" 0 sha1
  42. if errorlevel 1 goto SignFailed
  43. echo Adding SHA2 signature to %TargetFile%...
  44. call :SignFile "%SigningCertSha256%" "%SigningCertPasswordSha256%" sha256 1 "%TargetFile%" "%ServerListRfc3161%" 1 sha256
  45. if errorlevel 1 goto SignFailed
  46. )
  47. echo Verifying signature...
  48. signtool.exe verify /pa "%TargetFile%"
  49. if errorlevel 1 (
  50. echo FATAL ERROR - could not verify signature for %TargetFile%. There were %TimestampErrors% timestamping errors.
  51. echo --- END: sign.bat ------------------------------------------------------------
  52. exit /b 1
  53. ) else (
  54. echo --- END: sign.bat ------------------------------------------------------------
  55. exit /b 0
  56. )
  57. :SignFailed
  58. REM return an error code...
  59. echo FAILED: FATAL ERROR - signing %TargetFile% failed. There were %TimestampErrors% timestamping errors.
  60. echo --- END: sign.bat -------------------------------------------------------------
  61. exit /b 1
  62. rem When timestamping a file, signtool will fail when the timestamp server doesn't respond. So we retry in a loop, in an attempt to reduce spurious failures.
  63. rem When running signtool, we redirect output to null because signtool.exe may inadvertently output the word "error", causing msbuild to fail the build.
  64. :SignFile
  65. setlocal
  66. set CertFilePath=%1
  67. set CertPassword=%~2
  68. set SignatureHashAlgorithm=%3
  69. set AppendSignature=%4
  70. set TargetFilePath=%5
  71. set TimestampServerList=%~6
  72. set UseRfc3161=%7
  73. set Rfc3161HashAlgorithm=%8
  74. rem Compute password args
  75. if "%CertPassword%" neq "" (
  76. set PasswordArgs=/p %CertPassword%
  77. ) else (
  78. set PasswordArgs=
  79. )
  80. rem Compute append args
  81. if "%AppendSignature%" == "1" (
  82. set AppendSignatureArgs=/as
  83. ) else (
  84. set AppendSignatureArgs=
  85. )
  86. rem Compute timestamp server args
  87. if "%UseRfc3161%" == "1" (
  88. set TimestampArg1=/tr
  89. set TimestampArg2=/td %Rfc3161HashAlgorithm%
  90. ) else (
  91. set TimestampArg1=/t
  92. set TimestampArg2=
  93. )
  94. for /L %%a in (1,1,300) do (
  95. for %%s in %TimestampServerList% do (
  96. rem echo signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath%
  97. signtool.exe sign %AppendSignatureArgs% /fd %SignatureHashAlgorithm% %TimestampArg1% %%s %TimestampArg2% /f %CertFilePath% %PasswordArgs% %TargetFilePath% > NUL 2>&1
  98. if errorlevel 0 if not errorlevel 1 goto SignFileSuccess
  99. echo Signing attempt %%a failed. Probably cannot find the timestamp server at %%s
  100. set /a TimestampErrors+=1
  101. )
  102. echo Waiting 1 second...
  103. choice /N /T:1 /D:Y >NUL
  104. )
  105. endlocal
  106. exit /b 1
  107. :SignFileSuccess
  108. echo Signing succeeded
  109. endlocal
  110. exit /b 0