From 830c290d102419dd3da3f168fb9931e04b200dd1 Mon Sep 17 00:00:00 2001
From: Nicolas Vigier <boklm@torproject.org>
Date: Sat, 30 Apr 2022 10:57:10 +0200
Subject: [PATCH] Bug 40476: Improve linux-signer-authenticode-signing
- Automatically change to ~/$tbb_version directory
- Allow setting password with an environment variable (useful for
tor-browser-build#40476)
- Make it possible to run the script as any user, and only run the
osslsigncode command as the yubishm user
---
.../signing/linux-signer-authenticode-signing | 28 ++++++++++++++-----
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/tools/signing/linux-signer-authenticode-signing b/tools/signing/linux-signer-authenticode-signing
index 68643ee7..31943af1 100755
--- a/tools/signing/linux-signer-authenticode-signing
+++ b/tools/signing/linux-signer-authenticode-signing
@@ -1,20 +1,34 @@
#!/bin/bash
set -e
-export YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf
+script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source "$script_dir/functions"
-read -sp "Enter passphrase: " pass
+cd ~/"$tbb_version"
+
+test -n "${YUBIPASS:-}" || read -s -p "Authenticode (yubihsm) password:" YUBIPASS
echo
+
+tmpdir=$(mktemp -d)
+chgrp yubihsm "$tmpdir"
+chmod g+rwx "$tmpdir"
+
+cwd=$(pwd)
for i in `find . -name "*.exe" -print`
do
- /home/yubihsm/osslsigncode/osslsigncode \
+ echo "Signing $i"
+ echo export 'YUBIHSM_PKCS11_CONF=~/yubihsm_pkcs11.conf' \; \
+ /home/yubihsm/osslsigncode/osslsigncode \
-pkcs11engine /usr/lib/engines/engine_pkcs11.so \
-pkcs11module /usr/local/lib/yubihsm_pkcs11.so \
- -pass "$pass" \
+ -pass "'$YUBIPASS'" \
-h sha256 \
-certs /home/yubihsm/tpo-cert.crt \
-key 1c40 \
- $i $i-signed
+ "$cwd/$i" "$tmpdir/$i" \
+ | sudo su - yubihsm
+ mv -vf "$tmpdir/$i" "$cwd/$i"
done
-unset pass
-rename -f 's/-signed//' *-signed
+
+unset YUBIPASS
+rmdir "$tmpdir"
--
GitLab