telegraf/scripts/sign-windows.sh

#!/bin/bash
set -eux

# Install dependencies
sudo apt update && sudo apt install --yes 7zip default-jre-headless osslsigncode wget
wget https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
sha256sum="9877a0949a9c9ac4485155bbb8679ac863d3ec3d67e0a380b880eed650d06854"
if ! echo "${sha256sum}  jsign_5.0_all.deb" | sha256sum --check -; then
    echo "Checksum for jsign deb failed" >&2
    exit 1
fi
sudo dpkg -i jsign_5.0_all.deb

# Load certificates
touch "$SM_CLIENT_CERT_FILE"
set +x
echo "$SM_CLIENT_CERT_FILE_B64" > "$SM_CLIENT_CERT_FILE.b64"
set -x
base64 -d "$SM_CLIENT_CERT_FILE.b64" > "$SM_CLIENT_CERT_FILE"

# Loop through and sign + verify the binaries
artifactDirectory="./dist"
extractDirectory="$artifactDirectory/extracted"
for file in "$artifactDirectory"/*windows*; do
    7zz x "$file" -o$extractDirectory
    subDirectoryPath=$(find $extractDirectory -mindepth 1 -maxdepth 1 -type d)
    telegrafExePath="$subDirectoryPath/telegraf.exe"

    jsign \
        -storetype DIGICERTONE \
        -alias "$SM_CERT_ALIAS" \
        -storepass "$SM_API_KEY|$SM_CLIENT_CERT_FILE|$SM_CLIENT_CERT_PASSWORD" \
        -alg SHA-256 \
        -tsaurl http://timestamp.digicert.com \
        "$telegrafExePath"

    osslsigncode verify \
        -CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
        -TSA-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \
        -in "$telegrafExePath"

    7zz a -r "$file" "$subDirectoryPath"
    rm -rf "$extractDirectory"
done
Adding upstream version 1.34.4. Signed-off-by: Daniel Baumann <daniel@debian.org> 2025-05-24 07:26:29 +02:00			`#!/bin/bash`
			`set -eux`

			`# Install dependencies`
			`sudo apt update && sudo apt install --yes 7zip default-jre-headless osslsigncode wget`
			`wget https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb`
			`sha256sum="9877a0949a9c9ac4485155bbb8679ac863d3ec3d67e0a380b880eed650d06854"`
			`if ! echo "${sha256sum} jsign_5.0_all.deb" \| sha256sum --check -; then`
			`echo "Checksum for jsign deb failed" >&2`
			`exit 1`
			`fi`
			`sudo dpkg -i jsign_5.0_all.deb`

			`# Load certificates`
			`touch "$SM_CLIENT_CERT_FILE"`
			`set +x`
			`echo "$SM_CLIENT_CERT_FILE_B64" > "$SM_CLIENT_CERT_FILE.b64"`
			`set -x`
			`base64 -d "$SM_CLIENT_CERT_FILE.b64" > "$SM_CLIENT_CERT_FILE"`

			`# Loop through and sign + verify the binaries`
			`artifactDirectory="./dist"`
			`extractDirectory="$artifactDirectory/extracted"`
			`for file in "$artifactDirectory"/windows; do`
			`7zz x "$file" -o$extractDirectory`
			`subDirectoryPath=$(find $extractDirectory -mindepth 1 -maxdepth 1 -type d)`
			`telegrafExePath="$subDirectoryPath/telegraf.exe"`

			`jsign \`
			`-storetype DIGICERTONE \`
			`-alias "$SM_CERT_ALIAS" \`
			`-storepass "$SM_API_KEY\|$SM_CLIENT_CERT_FILE\|$SM_CLIENT_CERT_PASSWORD" \`
			`-alg SHA-256 \`
			`-tsaurl http://timestamp.digicert.com \`
			`"$telegrafExePath"`

			`osslsigncode verify \`
			`-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \`
			`-TSA-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt \`
			`-in "$telegrafExePath"`

			`7zz a -r "$file" "$subDirectoryPath"`
			`rm -rf "$extractDirectory"`
			`done`