76 lines
2.7 KiB
PowerShell
76 lines
2.7 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Sign a single app package file and output its hash + signature for the manifest.
|
|
|
|
.DESCRIPTION
|
|
Run this once per app package you want to add to apps.json.
|
|
Copy the output values into the appropriate platforms entry in manifests/apps.json,
|
|
then re-run sign-manifest.ps1 to re-sign the updated manifest.
|
|
|
|
.EXAMPLE
|
|
.\scripts\sign-package.ps1 -PackagePath .\dist\my-app.exe
|
|
#>
|
|
|
|
param(
|
|
[Parameter(Mandatory)]
|
|
[string]$PackagePath,
|
|
|
|
[string]$KeyPath = ".\keys\manifest-private.pem"
|
|
)
|
|
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
# ── Locate OpenSSL (probes common Windows install paths if not on PATH) ───────
|
|
. "$PSScriptRoot\_openssl.ps1"
|
|
|
|
# Resolve to absolute paths so .NET IO methods use the correct CWD
|
|
$PackagePath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($PackagePath)
|
|
$KeyPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($KeyPath)
|
|
|
|
$resolvedPkg = Resolve-Path $PackagePath
|
|
$resolvedKey = $null
|
|
$tempKeyFile = $null
|
|
|
|
if ($env:MANIFEST_SIGNING_KEY) {
|
|
$tempKeyFile = Join-Path $env:TEMP "psg-sign-key-$([System.Guid]::NewGuid()).pem"
|
|
[IO.File]::WriteAllText($tempKeyFile, $env:MANIFEST_SIGNING_KEY)
|
|
$resolvedKey = $tempKeyFile
|
|
} else {
|
|
$resolvedKey = Resolve-Path $KeyPath
|
|
}
|
|
|
|
try {
|
|
# SHA-256 hash
|
|
$hashObj = Get-FileHash -Path $resolvedPkg -Algorithm SHA256
|
|
$hash = $hashObj.Hash.ToLower()
|
|
|
|
# File size
|
|
$sizeBytes = (Get-Item $resolvedPkg).Length
|
|
|
|
# ed25519 signature
|
|
$tempSig = Join-Path $env:TEMP "psg-pkg-sig-$([System.Guid]::NewGuid()).bin"
|
|
& openssl pkeyutl -sign -inkey $resolvedKey -rawin -in $resolvedPkg -out $tempSig
|
|
if ($LASTEXITCODE -ne 0) { throw "openssl signing failed" }
|
|
|
|
$sigB64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($tempSig))
|
|
Remove-Item $tempSig -Force
|
|
|
|
Write-Host ""
|
|
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
|
Write-Host "Add this to the relevant platforms entry in manifests/apps.json:" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
Write-Host @"
|
|
"hash_sha256": "$hash",
|
|
"size_bytes": $sizeBytes,
|
|
"signature": "$sigB64"
|
|
"@ -ForegroundColor Cyan
|
|
Write-Host ""
|
|
Write-Host "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" -ForegroundColor Yellow
|
|
Write-Host "Then re-run: .\scripts\sign-manifest.ps1"
|
|
|
|
} finally {
|
|
if ($tempKeyFile -and (Test-Path $tempKeyFile)) {
|
|
Remove-Item $tempKeyFile -Force
|
|
}
|
|
}
|