forked from pbatard/Fido
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sign.sh
36 lines (32 loc) · 1.76 KB
/
sign.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/bin/bash
# Creates an LZMA compressed Fido.ps1 (including decompressed size) and sign it
PRIVATE_KEY=/d/Secured/Akeo/Rufus/private.pem
PUBLIC_KEY=/d/Secured/Akeo/Rufus/public.pem
# Create or update a signature
sign_file() {
if [ -f $FILE.sig ]; then
SIZE=$(stat -c%s $FILE.sig)
openssl dgst -sha256 -verify $PUBLIC_KEY -signature $FILE.sig $FILE >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
echo Updating signature for $FILE
openssl dgst -sha256 -sign $PRIVATE_KEY -passin pass:$PASSWORD -out $FILE.sig $FILE
fi
else
# No signature => create a new one
echo Creating signature for $FILE
openssl dgst -sha256 -sign $PRIVATE_KEY -passin pass:$PASSWORD -out $FILE.sig $FILE
fi
}
# Update the Authenticode signature
cmd.exe /c '"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool" sign /v /sha1 3dbc3a2a0e9ce8803b422cfdbc60acd33164965d /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td SHA256 Fido.ps1'
read -s -p "Enter pass phrase for `realpath $PRIVATE_KEY`: " PASSWORD
echo
# Confirm that the pass phrase is valid by trying to sign a dummy file
openssl dgst -sha256 -sign $PRIVATE_KEY -passin pass:$PASSWORD $PUBLIC_KEY >/dev/null 2>&1 || { echo Invalid pass phrase; exit 1; }
lzma -kf Fido.ps1
# The 'lzma' utility does not add the uncompressed size, so we must add it manually. And yes, this whole
# gymkhana is what one must actually go through to insert a 64-bit little endian size into a binary file...
printf "00: %016X" `stat -c "%s" Fido.ps1` | xxd -r | xxd -p -c1 | tac | xxd -p -r | dd of=Fido.ps1.lzma seek=5 bs=1 status=none conv=notrunc
find . -maxdepth 1 -name "Fido.ps1.lzma" | while read FILE; do sign_file; done
# Clear the PASSWORD variable just in case
PASSWORD=`head -c 50 /dev/random | base64`