From bc223af05dfcde5f2dc3193182ba218798efc10a Mon Sep 17 00:00:00 2001
From: Marcos Oviedo <marcos@fleetdm.com>
Date: Thu, 18 May 2023 16:47:33 -0300
Subject: [PATCH] Helper utilities to showcase windows authenticode signing
 (#11780)

This relates to #11013

Helper utilities to showcase Windows Authenticode signing.

The fleetdm.pfx certificate file is a self-signed test certificate
---
 orbit/tools/build/fleetdm.pfx     | Bin 0 -> 2662 bytes
 orbit/tools/build/sign-windows.sh |  37 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 orbit/tools/build/fleetdm.pfx
 create mode 100755 orbit/tools/build/sign-windows.sh

diff --git a/orbit/tools/build/fleetdm.pfx b/orbit/tools/build/fleetdm.pfx
new file mode 100644
index 0000000000000000000000000000000000000000..fa03ea1d336eeeae6a1e90d9acdec78849144d97
GIT binary patch
literal 2662
zcmZWpc{tQ<7yb=n7(|w_FOyxiv6g+y7R8h#jdd)kB#eY?Lzu==2-&kHYp8c*nNWnW
zWzX2xBE*CU-_-Sf?|XgMcRklxp8G!MKF>eTL0}nOXh5_GETa$vdOF%PdiMl~9+Zb=
zWCddxnW!*50t*5Dhobuq#?pO5VClY4Z4tuscNa4wh$asUK0;u@`v?ID<9}hQI189T
zzI^+w$UH@phK9Z$j0KOSaDNf4VybY)J;2s3m>gaT7eY$l19O|3yeo<F7wyd?*Uotu
zb9Gm4aSb$XVK+7{Sy%|9ft%Qv24r_J2lM%_L@a)$+MW?<opt6(1qK`xoH>(z8*QKO
zqxLe)ehc{M)c0#3NxJ=hES`R2KGfQDZLku9xNnt^SkM~f$$`d5wThd6cpq)_v8mK%
z#VY{zHaeBy7?K|1_`u+s*Gi@xShmb~vui)Pb*NE0a>rJ+4IP<58YG{R61^36U;~6}
z*;V>~A0OkN5-EoCAq)-_={T@pl;bFQ!{79g#<=m`;|O4tR;=B3vAfNB0Xu8M^=nRk
z!~0mJRz)p4;|2F--{q|nvNv{Hk-DjVs1EZ)vsqiV0ag+4fLBOf1#(6bRw&^OFEE@P
zMvB-}8)nui9YO!H9-UC|{em)(t6EsS1lLfR3;Vh}8XIWIk$`%j#ueTy-rGH#Abu)%
z8CINjle<}toRgT)mS#5Po{=zEw5*KZ4Cz7T4znoy<i1Q%eyM{zQ=8yXMrfAaAgy65
zyIn{6omHz?x3cg#Mz@2qYA5&n<4fDUoe93*o{_66Vf=#@qO&U^VeHX)$^nLLdQjQ)
zdtasINdu1U3h1bc%)ZB|SshkuQ^%tPq(cpsi7H*x5<y*YZ$bG@%W<~&wTvK!Z#O<H
z$!T3>-%y#b-)S@xf5bcF=LgSeG-tIDjd%Q5D}MeguY`#RspSOC40eH+CS%=;%;$81
z7So}g2C7fsN{KKIa(LYrcgJ+MpS*m){vfIm*Oyu9o|vTMsVld{z$sIwnJ*z=l9q13
zqZ>0dXCx9`O}KIdUpbuk_Cwrcm$Y33b-FZd_#@|`BVNRnIay+6bldxQDGsOU*p!2_
z7hi39+DCDktb1dppup!5q^lT&Q<|;!tZXZmF!K5tslhIYY%<$lIFt-S1=<<9U+>_1
zZQGA33Tia$&DO=^loq*U*P<kpHKrdv<@vGGFs!&pSsWe9<oRm?Q0)<nES<Ccx;^L3
zcmH$pg=te)8Ian{WSQ#JrJJJ$=)wZerb-zKvd7`O{uchu%j^8}!r6%dlXvl~k<M_{
zoa1M!i_@LN3Exy{@6ZO9!m=st9uH=P`6#u9cC9#H9Vc_EuB{^|!{^hJEn4S}ZVsm;
z)Eo%^<a<xDURAS`lvnomY2z46ep~ejC_dWSui-J$@vtS1y&1}qbGJTWaX1|R`PCfS
z&`M~3aE>F;k-p>Z&YG|L<|a|=u)cU8uY}`VXYDDj)=%-n-qDHGG1=-`7}=u;h^WH~
zKY}c>-#{tgJa1Xrn7WU_Xr1ukxLiOe`)+`&3^gV`)LIisM(m??S+gt>qJH%FwpNPq
znxQ5u4%1gf{q;L=GdZ^`6x)E#=;FOV+X9i>sjhXe5BFxK*Or1jlWlicKey3Q-k05}
z*Pdb`FTWc1nNKP_si3ee#$1kleC=m@RB;(RZTyfC<Jr&mVO#U1z7itb0_l@+PscJ^
zy%wJP{KgqyffTdGyEWkDLb4;en{%bz$wF2qb()1;>cjOsWz1Q%l}|AU<NFG^LuYsy
z(j@7LXhD#TC==Y|BrQ8Mm_dL=(TFp6C%mKM1|Bwpc1WW)&DME=A~nuOlt*?E`q1F%
zzS1T^V?Z%t5W(@!x`e_MAz&~F004yjzaXcgmC!{11GoWlfHI&CI0G(#D%Gn{y&M&F
z0T5J^qu!OM=viv!0;o~z6segz;7UDi)aVABq1GY(MEBqFG7u0LggwIs`Xhe<@C49+
zFW?RMQO%t?4h~%YI}4!7`cfO=fH~C%{$Vgw&X<aN{K2jMbl#(C{2u0uz|tQ7^L~0r
z9+q~K3a!zA0BTtLmjV6%;@^a-I+P+^oqsR>a4aoBvxM#Iqy_{j5vq?8yxz?1K+zF1
z*ju|@qRW^`ka@3FadbSsKJ?^`vfZZ~J|)ewnJ;Ax?5;IsGraS&xe|Usdg^>urZY`b
z$9s3k_mrYJhIC>A$)k?HT0Or^TSHUh`G(FrVL^|cU!P|wtU}PYv9TlbJvcDBLZr=0
zA}oA_e@I1H_sT)xR}}|3RSNC$BJe|qWe&PHz91$b-$kr!)icCb5XVM^IRu}B%V;z}
z?MqkGNGs0WJ&N-NDy14Agwf6XmJex1yhcSI?JUMA`^<^@pR;kqNiHAh$#OELuBUo6
zmMtGtJC%{bAuE`0HuAd<TjtLePr>8UbYI{+JK3tnVzb#5DG#G0WL^{yod!mF*@~T2
zwF|<oS=9^#*NFDQt|)W`B<LOYsPQr<$L~7SE6S)td1ORqr4F}Hg|~Ny@Aj@yrhnN8
z%iEpSsVBUNaywi<C7;!>B+lb?dqfXb?`F(9aX6|OF8*NJOTT3P@)z6kr%l^0cz@k(
zk@vH+jVGmVNd-6rML}b2^Jj)+7T&$Q39l6IC0S1u2d<7<oxGGuwtyFT+*}?a6EEIw
z`|2$HC@c^jtv(Bb!Eo2}?)f0qLyRP)hAcwOAB$^VT^b2gpPm$$uw+w2zX_(tISj&|
zatNqy=|sE^>mZz(pSoIO>{4#k1S==r;(D^at(cOu#5{&#>EDUsN31tyT<r}hscJ^S
z0;+164hGfEzbXYYnrV12cx~hP?%mKaJryCHf;q7C5OmP;;_*pFOLrMVozAh0`)xSh
zqu*Z$wrL3;u1`{x<w?*(=+cA)#zHKEY@>7oi>%1ZC)qTInLko=8sZErW#jPAdiS#`
z@V#HIdweMv?7V7pHm9f|rakeJz%c`pz)9F1d+4tl8*$9$q&|EudOh#$-bK$uUBgns
z%=-2dVXIG4gvS97dvNTIr}rW)`kC=Qbsg4R1{%;di<y4N<y;K3TinHFyz>B4kMm$0
z+3fh%+nw?9u1)dgJN6g8!7G<5t6x`)sjWxsNltVgT;FIiDZ<b1J|S4xYFa+V4y5dm
z1R^Ob&!@B(x}H8r(r<1E?Zq|ExcOJKvPM?qE8Wu1gvF0w57V~S{9RX8?TeJ$;=2V#
zBTDWBgeO5ij)K~{Q(oWwYdnw~@B7XodG}eQzQ1V4s8rp~>&O^x-q22`hI-D>NJ1&6
zwAwR>_Aoqc19@vT_enN`&{X16Z#@*480UwKN#<{|pEHSuaM$=`)d`CYE#?GCQKS%>
z2w?<0gieNqmWB_^8C<L96<;#_jxA_|{7QrWP!jhc1kCBOKXNh^T66I^T|;8%_w)Jc
KAn%snAOAlgo6Yn9

literal 0
HcmV?d00001

diff --git a/orbit/tools/build/sign-windows.sh b/orbit/tools/build/sign-windows.sh
new file mode 100755
index 0000000000..d0c46d925c
--- /dev/null
+++ b/orbit/tools/build/sign-windows.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+input_file=$1
+
+if [ ! -f "$input_file" ]
+then
+    echo 'First argument must be path to binary'
+    exit 1
+fi
+
+# Skip if not a windows PE executable
+if ! ( file "$input_file" | grep -q PE )
+then
+    echo 'Skip windows signing'
+    exit 0
+fi
+
+if ! command -v osslsigncode >/dev/null 2>&1 ; then
+    echo "Osslsigncode utility is not present. Binary cannot be signed."
+    exit 1
+fi
+
+work_file="${input_file}_old"
+
+mv "$input_file" "$work_file"
+
+osslsigncode sign -pkcs12 "./orbit/tools/build/fleetdm.pfx" -pass "fleetdm" -n "Fleet Osquery" -i "https://www.fleetdm.com" -t "http://timestamp.comodoca.com/authenticode" -in "$work_file" -out "$input_file"
+
+retVal=$?
+if [ $retVal -ne 0 ]; then
+    echo "There was an error when signing."
+else
+    echo "Binary $input_file was successfully signed."
+    rm $work_file
+fi
+exit $retVal
\ No newline at end of file