feat: initial PSG Launcher scaffold
This commit is contained in:
75
scripts/sign-package.ps1
Normal file
75
scripts/sign-package.ps1
Normal file
@@ -0,0 +1,75 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Sign a single app package file and output its hash + signature for the manifest.
|
||||
|
||||
.DESCRIPTION
|
||||
Run this once per app package you want to add to apps.json.
|
||||
Copy the output values into the appropriate platforms entry in manifests/apps.json,
|
||||
then re-run sign-manifest.ps1 to re-sign the updated manifest.
|
||||
|
||||
.EXAMPLE
|
||||
.\scripts\sign-package.ps1 -PackagePath .\dist\my-app.exe
|
||||
#>
|
||||
|
||||
param(
|
||||
[Parameter(Mandatory)]
|
||||
[string]$PackagePath,
|
||||
|
||||
[string]$KeyPath = ".\keys\manifest-private.pem"
|
||||
)
|
||||
|
||||
$ErrorActionPreference = "Stop"
|
||||
|
||||
# ── Locate OpenSSL (probes common Windows install paths if not on PATH) ───────
|
||||
. "$PSScriptRoot\_openssl.ps1"
|
||||
|
||||
# Resolve to absolute paths so .NET IO methods use the correct CWD
|
||||
$PackagePath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($PackagePath)
|
||||
$KeyPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($KeyPath)
|
||||
|
||||
$resolvedPkg = Resolve-Path $PackagePath
|
||||
$resolvedKey = $null
|
||||
$tempKeyFile = $null
|
||||
|
||||
if ($env:MANIFEST_SIGNING_KEY) {
|
||||
$tempKeyFile = Join-Path $env:TEMP "psg-sign-key-$([System.Guid]::NewGuid()).pem"
|
||||
[IO.File]::WriteAllText($tempKeyFile, $env:MANIFEST_SIGNING_KEY)
|
||||
$resolvedKey = $tempKeyFile
|
||||
} else {
|
||||
$resolvedKey = Resolve-Path $KeyPath
|
||||
}
|
||||
|
||||
try {
|
||||
# SHA-256 hash
|
||||
$hashObj = Get-FileHash -Path $resolvedPkg -Algorithm SHA256
|
||||
$hash = $hashObj.Hash.ToLower()
|
||||
|
||||
# File size
|
||||
$sizeBytes = (Get-Item $resolvedPkg).Length
|
||||
|
||||
# ed25519 signature
|
||||
$tempSig = Join-Path $env:TEMP "psg-pkg-sig-$([System.Guid]::NewGuid()).bin"
|
||||
& openssl pkeyutl -sign -inkey $resolvedKey -rawin -in $resolvedPkg -out $tempSig
|
||||
if ($LASTEXITCODE -ne 0) { throw "openssl signing failed" }
|
||||
|
||||
$sigB64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($tempSig))
|
||||
Remove-Item $tempSig -Force
|
||||
|
||||
Write-Host ""
|
||||
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
||||
Write-Host "Add this to the relevant platforms entry in manifests/apps.json:" -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
Write-Host @"
|
||||
"hash_sha256": "$hash",
|
||||
"size_bytes": $sizeBytes,
|
||||
"signature": "$sigB64"
|
||||
"@ -ForegroundColor Cyan
|
||||
Write-Host ""
|
||||
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
||||
Write-Host "Then re-run: .\scripts\sign-manifest.ps1"
|
||||
|
||||
} finally {
|
||||
if ($tempKeyFile -and (Test-Path $tempKeyFile)) {
|
||||
Remove-Item $tempKeyFile -Force
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user