Last active
November 1, 2016 17:23
-
-
Save dakcarto/5c5d5df3c16224af77fffcd4595262e4 to your computer and use it in GitHub Desktop.
Win Batch script for SHA256 signing an exe using a DigiCert cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| :: Code-sign .exe file using signtool and installed DigiCert code-signing cert/key and CA | |
| :: Larry Shaffer lshaffer at boundlessgeo dot com, Oct 2016 | |
| :: | |
| :: See usage at bottom of script | |
| :: | |
| :: Requirements: | |
| :: Need Win SDK 7.0 or higher | |
| :: Need internet connection | |
| :: Install signing cert/key bundle into Machine (all users) cert store | |
| :: Install any intermediate CA into Machine cert store, as signtool will include it | |
| :: Use /sm if code signing cert was imported to Machine (not My) cert store | |
| :: SHA1 signature of cert MUST be uppercase | |
| :: | |
| :: You can also use the DigiCert GUI-based utility https://www.digicert.com/util/ | |
| :: NOTE: the utility only does SHA1 signing of the exe, so not useful for Win 10+ | |
| :: | |
| :: signtool docs, circa 2016: https://msdn.microsoft.com/en-us/library/aa387764(v=vs.85).aspx | |
| :: example signing using Machine cert store and sha256 | |
| :: signtool sign /sm /tr http://timestamp.digicert.com /td sha256 /fd sha256 ^ | |
| :: /sha1 UPPERCASESHA1SIGNTURE some.exe | |
| if not "x%3"=="x" ( | |
| echo Too many parameters | |
| echo. | |
| goto usage | |
| ) | |
| if "x%2"=="x" ( | |
| echo Missing second parameter | |
| echo. | |
| goto usage | |
| ) | |
| if "x%1"=="x" ( | |
| echo Missing first parameter | |
| echo. | |
| goto usage | |
| ) | |
| :: note: check could fail for network drive | |
| if not exist %2 ( | |
| echo Exe file not found | |
| echo. | |
| goto usage | |
| ) | |
| for %%i in ("%2") do set EXEXT=%%~xi | |
| if not "%EXEXT%" == ".exe" ( | |
| echo Extension not .exe | |
| echo. | |
| goto usage | |
| ) | |
| :: set SDK bin path to short path version | |
| for %%i in ("%PROGRAMFILES%\Microsoft SDKs\Windows\v7.1\Bin") do set SDK_BIN=%%~fsi | |
| %SDK_BIN%\signtool.exe sign /sm /fd sha256 /sha1 %1 "%2" | |
| if errorlevel 1 goto error | |
| %SDK_BIN%\signtool.exe timestamp /tr http://timestamp.digicert.com /td sha256 "%2" | |
| if errorlevel 1 goto error | |
| goto end | |
| :usage | |
| echo. | |
| echo usage: | |
| echo code-sign-exe.bat certhash some.exe | |
| echo. | |
| echo certhash: signing cert SHA1 hash; must be UPPERCASE | |
| echo some.exe: path of .exe to sign | |
| echo. | |
| exit /b 1 | |
| :error | |
| echo Failed with error #%errorlevel%. | |
| exit /b %errorlevel% | |
| :end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment