-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsign.ps1
More file actions
72 lines (64 loc) · 2.3 KB
/
sign.ps1
File metadata and controls
72 lines (64 loc) · 2.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
param(
[string[]]$TargetFiles
)
$ErrorActionPreference = 'Stop'
$TimeServer = "http://timestamp.sectigo.com"
$signToolSearchPath = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\*\x64\signtool.exe"
[string]$signtool = Get-ChildItem $signToolSearchPath -ErrorAction SilentlyContinue `
| Sort-Object -Property FullName `
| Select-Object -Last 1
if (!$signtool) {
Write-Warning "SignTool.exe not found. You need to install a Windows SDK."
exit 1
}
$certFile = Get-ChildItem "$PSScriptRoot\*.pfx" `
| Sort-Object -Property Name `
| Select-Object -First 1
if (!$certFile) {
Write-Warning "No PFX file found in the project root."
Write-Host "This script needs a certificate with private key as a PFX file in the project root to work."
exit 1
}
function ConvertFrom-SecureToPlain {
param([Parameter(Mandatory=$true)][System.Security.SecureString] $SecurePassword)
# Create a "password pointer"
$passwordPointer = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecurePassword)
# Get the plain text version of the password
$plainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto($passwordPointer)
# Free the pointer
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($passwordPointer)
# Return the plain text password
$plainTextPassword
}
$pfxPassword = Read-Host -AsSecureString "PFX Password"
$unsignedTargets = @()
Write-Output "Searching for files without signature..."
foreach ($f in $TargetFiles) {
[string]$result = & $signtool Verify /pa /tw $f 2>&1
if ($LASTEXITCODE) {
if ($result.Contains("No signature found")) {
$unsignedTargets += $f
Write-Output "- $f"
} else {
Write-Warning "- $f failed to verify signature"
& $signtool Verify /pa /tw $f
Write-Warning "Exit Code: $LASTEXITCODE"
}
} else {
Write-Output "- $f already signed"
}
}
Write-Output "Signing files..."
foreach ($f in $unsignedTargets) {
Write-Output "- $f"
$backup = "$f.bak"
if (!(Test-Path $backup)) { Copy-Item $f $backup }
& $signtool sign `
/f $certFile /p $(ConvertFrom-SecureToPlain $pfxPassword) `
/fd sha256 /td sha256 /tr $TimeServer `
$f
if ($LASTEXITCODE) {
Write-Warning "Signing failed."
exit 1
}
}