keeweb/build/tasks/grunt-sign-exe.js

const fs = require('fs');
const path = require('path');
const { spawnSync } = require('child_process');
const AdmZip = require('adm-zip');
const { runRemoteTask } = require('run-remote-task');

module.exports = function(grunt) {
    grunt.registerMultiTask(
        'sign-exe',
        'Signs exe file with authenticode certificate',
        async function() {
            const done = this.async();
            const opt = this.options();

            for (const [file, name] of Object.entries(opt.files)) {
                await signFile(file, name, opt);
            }

            done();
        }
    );

    async function signFile(file, name, opt) {
        grunt.log.writeln(`Signing ${file}...`);

        const fileNameWithoutFolder = path.basename(file);

        const actionConfig = {
            exe: fileNameWithoutFolder,
            name: name || fileNameWithoutFolder,
            url: opt.url
        };

        const zip = new AdmZip();
        zip.addFile('action.json', Buffer.from(JSON.stringify(actionConfig)));
        zip.addLocalFile(file);
        const zipContents = zip.toBuffer();

        fs.writeFileSync('data.zip', zipContents);

        try {
            const taskResult = await runRemoteTask(opt.windows, zipContents);
            const signedFile = taskResult.file;

            const signtool =
                'C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit\\signtool.exe';
            const res = spawnSync(signtool, ['verify', '/pa', '/v', signedFile]);

            if (res.status) {
                grunt.warn(
                    `Verify error ${file}: exit code ${res.status}.\n${res.stdout.toString()}`
                );
            }

            if (!res.stdout.includes('Successfully verified')) {
                grunt.warn(`Verify error ${file}:\n${res.stdout.toString()}`);
            }

            if (!res.stdout.includes(opt.certHash)) {
                grunt.warn(`Verify error ${file}: expected hash was not found`);
            }

            fs.unlinkSync(signedFile, file);
            fs.writeFileSync(file, taskResult.data);
            grunt.log.writeln(`Signed ${file}: ${name}`);
        } catch (e) {
            grunt.warn(`Sign error ${file}: ${e}`);
        }
    }
};
Added missing files 2019-01-07 18:33:21 +01:00			`const fs = require('fs');`
signing code on a Windows VM 2020-04-03 20:26:27 +02:00			`const path = require('path');`
			`const { spawnSync } = require('child_process');`
remote code signing 2020-04-05 21:43:32 +02:00			`const AdmZip = require('adm-zip');`
			`const { runRemoteTask } = require('run-remote-task');`
Added missing files 2019-01-07 18:33:21 +01:00
prettier 2019-08-16 23:05:39 +02:00			`module.exports = function(grunt) {`
remote code signing 2020-04-05 21:43:32 +02:00			`grunt.registerMultiTask(`
			`'sign-exe',`
			`'Signs exe file with authenticode certificate',`
			`async function() {`
			`const done = this.async();`
			`const opt = this.options();`

			`for (const [file, name] of Object.entries(opt.files)) {`
			`await signFile(file, name, opt);`
			`}`

			`done();`
Added missing files 2019-01-07 18:33:21 +01:00			`}`
remote code signing 2020-04-05 21:43:32 +02:00			`);`

			`async function signFile(file, name, opt) {`
			grunt.log.writeln(`Signing ${file}...`);
signing code on a Windows VM 2020-04-03 20:26:27 +02:00
			`const fileNameWithoutFolder = path.basename(file);`
remote code signing 2020-04-05 21:43:32 +02:00
			`const actionConfig = {`
			`exe: fileNameWithoutFolder,`
			`name: name \|\| fileNameWithoutFolder,`
			`url: opt.url`
			`};`

			`const zip = new AdmZip();`
			`zip.addFile('action.json', Buffer.from(JSON.stringify(actionConfig)));`
			`zip.addLocalFile(file);`
			`const zipContents = zip.toBuffer();`

			`fs.writeFileSync('data.zip', zipContents);`

			`try {`
			`const taskResult = await runRemoteTask(opt.windows, zipContents);`
			`const signedFile = taskResult.file;`

signtool 2020-04-05 22:45:46 +02:00			`const signtool =`
			`'C:\\Program Files (x86)\\Windows Kits\\10\\App Certification Kit\\signtool.exe';`
ci 2020-04-05 23:39:36 +02:00			`const res = spawnSync(signtool, ['verify', '/pa', '/v', signedFile]);`
code signing 2020-04-05 22:13:06 +02:00
ci 2020-04-05 23:39:36 +02:00			`if (res.status) {`
code signing 2020-04-05 22:13:06 +02:00			`grunt.warn(`
			`Verify error ${file}: exit code ${res.status}.\n${res.stdout.toString()}`
			`);`
signing code on a Windows VM 2020-04-03 20:26:27 +02:00			`}`
code signing 2020-04-05 22:13:06 +02:00
ci 2020-04-05 23:39:36 +02:00			`if (!res.stdout.includes('Successfully verified')) {`
			grunt.warn(`Verify error ${file}:\n${res.stdout.toString()}`);
			`}`

			`if (!res.stdout.includes(opt.certHash)) {`
			grunt.warn(`Verify error ${file}: expected hash was not found`);
			`}`

code signing 2020-04-05 22:13:06 +02:00			`fs.unlinkSync(signedFile, file);`
			`fs.writeFileSync(file, taskResult.data);`
remote code signing 2020-04-05 21:43:32 +02:00			grunt.log.writeln(`Signed ${file}: ${name}`);
			`} catch (e) {`
			grunt.warn(`Sign error ${file}: ${e}`);
signing code on a Windows VM 2020-04-03 20:26:27 +02:00			`}`
Added missing files 2019-01-07 18:33:21 +01:00			`}`
			`};`