-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Teach the tool to sign all kinds of files
- Loading branch information
1 parent
063801a
commit 903368a
Showing
7 changed files
with
163 additions
and
84 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
import path from 'path'; | ||
import fs from 'fs-extra'; | ||
|
||
import { SignOptions } from './types'; | ||
|
||
const IS_PE_REGEX = /\.(exe|dll|sys|efi|scr|node)$/i; | ||
const IS_MSI_REGEX = /\.msi$/i; | ||
const IS_PACKAGE_REGEX = /\.(appx|appxbundle|msix|msixbundle)$/i; | ||
const IS_CATCAB_REGEX = /\.(cat|cab)$/i; | ||
const IS_SILVERLIGHT_REGEX = /\.xap$/i; | ||
const IS_SCRIPT_REGEX = /\.(vbs|wsf|ps1)$/i; | ||
const IS_JS_REGEX = /\.js$/i; | ||
|
||
/** | ||
* Recursively goes through an entire directory and returns an array | ||
* of full paths for files ot sign. | ||
* | ||
* - Portable executable files (.exe, .dll, .sys, .efi, .scr, .node) | ||
* - Microsoft installers (.msi) | ||
* - APPX/MSIX packages (.appx, .appxbundle, .msix, .msixbundle) | ||
* - Catalog files (.cat) | ||
* - Cabinet files (.cab) | ||
* - Silverlight applications (.xap) | ||
* - Scripts (.vbs, .wsf, .ps1) | ||
* If configured: | ||
* - JavaScript files (.js) | ||
*/ | ||
export function getFilesToSign(options: SignOptions, dir?: string): Array<string> { | ||
dir = dir || options.appDirectory; | ||
|
||
// Array of file paths to sign | ||
const result: Array<string> = []; | ||
|
||
// Iterate over the app directory, looking for files to sign | ||
const files = fs.readdirSync(dir); | ||
|
||
const regexes = [ | ||
IS_PE_REGEX, | ||
IS_MSI_REGEX, | ||
IS_PACKAGE_REGEX, | ||
IS_CATCAB_REGEX, | ||
IS_SILVERLIGHT_REGEX, | ||
IS_SCRIPT_REGEX | ||
]; | ||
|
||
if (options.signJavaScript) { | ||
regexes.push(IS_JS_REGEX); | ||
} | ||
|
||
for (const file of files) { | ||
const fullPath = path.resolve(dir, file); | ||
|
||
if (fs.statSync(fullPath).isDirectory()) { | ||
// If it's a directory, recurse | ||
result.push(...getFilesToSign(options, fullPath)); | ||
} else if (regexes.some((regex) => regex.test(file))) { | ||
// If it's a match, add it to the list | ||
result.push(fullPath); | ||
} | ||
} | ||
|
||
return result; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
import { sign, SignOptions } from './sign'; | ||
import { sign } from './sign'; | ||
import { SignOptions } from './types'; | ||
|
||
export { sign, SignOptions }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
// SHA-1 has been deprecated on Windows since 2016. We'll still dualsign. | ||
// https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx#Post-February_TwentySeventeen_Plan | ||
export const enum HASHES { | ||
sha1 = 'sha1', | ||
sha256 = 'sha256', | ||
} | ||
|
||
export interface SignOptions extends OptionalSignOptions { | ||
// Path to the application directory. We will scan this | ||
// directory for any .dll, .exe, .msi, or .node files and | ||
// codesign them with signtool.exe | ||
appDirectory: string; | ||
// Path to a .pfx code signing certificate. Will use | ||
// process.env.WINDOWS_CERTIFICATE_FILE if not provided | ||
certificateFile?: string; | ||
// Password to said certificate. If you don't provide this, | ||
// you need to provide a `signWithParams` option. Will use | ||
// process.env.WINDOWS_CERTIFICATE_PASSWORD if not provided | ||
certificatePassword?: string; | ||
} | ||
|
||
export interface InternalOptions extends OptionalSignOptions { | ||
certificateFile: string; | ||
certificatePassword?: string; | ||
signToolPath: string; | ||
timestampServer: string; | ||
files: Array<string>; | ||
hash: HASHES; | ||
appendSignature?: boolean; | ||
} | ||
|
||
export interface OptionalSignOptions { | ||
// Path to a timestamp server. Defaults to http://timestamp.digicert.com | ||
timestampServer?: string; | ||
// Description of the signed content. Will be passed to signtool.exe as /d | ||
description?: string; | ||
// URL of the signed content. Will be passed to signtool.exe as /du | ||
website?: string; | ||
// Path to signtool.exe. Will use vendor/signtool.exe if not provided | ||
signToolPath?: string; | ||
// Additional parameters to pass to signtool.exe. | ||
signWithParams?: string; | ||
// Enable debug logging | ||
debug?: boolean; | ||
// Automatically select the best signing certificate, passed as | ||
// /a to signtool.exe, on by default | ||
automaticallySelectCertificate?: boolean; | ||
// Should we sign JavaScript files? Defaults to false | ||
signJavaScript?: boolean | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
/** | ||
* Tries to parse an process.env string to a boolean. | ||
* Will understand undefined as the default value | ||
* Will understand "false", "False", "fAlse", or "0" as `false` | ||
* Will understand everything else as true | ||
* | ||
* @export | ||
* @param {string} name | ||
* @return {*} {boolean} | ||
*/ | ||
export function booleanFromEnv(name: string): boolean | undefined { | ||
const value = process.env[name]; | ||
|
||
if (value === undefined) { | ||
return undefined; | ||
} | ||
|
||
if (value.toLowerCase() === 'false' || value === '0') { | ||
return false; | ||
} | ||
|
||
return !!value; | ||
} |