1  #!/usr/bin/env bash
 2  #
 3  # Script to sign the IDF Tools installer for Windows, built with build_installer.sh.
 4  #
 5  
 6  set -e
 7  set -u
 8  
 9  if [[ -z "${KEYFILE:-}" || -z "${CERTCHAIN:-}" ]]; then
10      echo "To sign the installer, set the following environment variables:"
11      echo "  KEYFILE - private key file"
12      echo "  KEYPASSWORD - password for the private key file (optional, will prompt for password if not set)"
13      echo "  CERTCHAIN - certificate chain file"
14      exit 1
15  fi
16  
17  umask 770  # for the process substitution FIFO
18  
19  VERSION=`grep "#define MyAppVersion " idf_tool_setup.iss | cut -d ' ' -f3 | tr -d '"'`
20  echo "Installer version ${VERSION}"
21  
22  IN_FILE="Output/esp-idf-tools-setup-unsigned.exe"
23  OUT_FILE="Output/esp-idf-tools-setup-${VERSION}.exe"
24  
25  if [[ -n "${KEYPASSWORD:-}" ]]; then
26      PASSARG="-readpass <(echo \"$KEYPASSWORD\")"
27  else
28      PASSARG="-askpass"
29  fi
30  
31  echo "Signing the installer (${IN_FILE})..."
32  # Note: The cert chain passed to -certs needs to contain the intermediate
33  # cert(s) as well, appended after the code signing cert, or Windows may see
34  # it as "Unknown Publisher"
35  #
36  # See https://stackoverflow.com/a/52637050 for full details
37  #
38  osslsigncode -certs ${CERTCHAIN} -key ${KEYFILE} \
39               ${PASSARG} \
40               -in ${IN_FILE} \
41               -out ${OUT_FILE} \
42               -h sha256 \
43               -n "Espressif Systems (Shanghai) Co., Ltd." \
44               -i "https://www.espressif.com/" \
45               -ts http://timestamp.digicert.com
46  
47  chmod 644 ${OUT_FILE}  # make up for the umask
48  
49  echo "Generated ${OUT_FILE}"