cygwin sign unsigned binaries

Makefile

# Makefile called like so:
#SIGN=YES gmake
RELEASEFILES:=a.exe a.dll
SIGNED_SDIR:=signed_bin
UNSIGNED_SDIR:=unsigned_bin
ODIR:=install
SIGNTOOL:='/cygdrive/c/Program Files (x86)/Windows Kits/8.1/bin/x64/signtool.exe'
# Update with your signtool options:
SIGOPTS:=/tr http://timestamp.digicert.com /td sha256 /fd sha256 /i DigiCert_Test

#######################
# Generated variables #
#######################
ifeq ($(SIGN),YES)
  SDIR=$(SIGNED_SDIR)
else
  SDIR=$(UNSIGNED_SDIR)
endif
STAGED_RELEASEFILES=$(addprefix $(SDIR)/,$(notdir $(RELEASEFILES)))

all: $(ODIR)/postbuildartifacts.tgz

.INTERMEDIATE: copy-and-sign.stamp
copy-and-sign.stamp: $(RELEASEFILES)
	@# Note that SDIR changes in the Generated Variables above depending on the
	@# value of the SIGN env var; this is necessary to force a sig check when
	@# the var is changed.
	cp -u $^ $(SDIR)/
	@# Fragile: This will likely break if signtool's locale is not English.
	@# TODO: osslsigncode syntax
	$(eval SIG_VERIFIED:=$(shell cd $(SDIR)/ && $(SIGNTOOL) verify /pa $(notdir $^) 2>&1 | grep "Successfully verified" | awk "{print \$$3}"))
	$(eval SIG_UNVERIFIED:=$(filter-out $(SIG_VERIFIED),$(notdir $^)))
	$(info Valid signatures: $(SIG_VERIFIED))
	$(info Sig errors: $(SIG_UNVERIFIED))
ifeq ($(SIGN),YES)
	@# the abspath resolution is required to avoid zapping on cd $sdir errors.
	@# Fragile: spaces in unquoted list will cause issues with rm -f
	cd $(SDIR)/ && $(SIGNTOOL) sign $(SIGOPTS) $(SIG_UNVERIFIED) \
	|| ( rm -f $(abspath $(addprefix $(SDIR)/,$(SIG_UNVERIFIED))) && false ) # Zap files to avoid bypassing sig check later.
endif
	touch $@

$(STAGED_RELEASEFILES): copy-and-sign.stamp

$(ODIR)/postbuildartifacts.tgz: $(STAGED_RELEASEFILES)
	cd $(SDIR)/ && tar zcvf $(abspath $@) $(notdir $^)
    
clean:
	rm -f $(SIGNED_SDIR)/* $(UNSIGNED_SDIR)/* $(ODIR)/postbuildartifacts.tgz