34 lines
1.3 KiB
Bash
34 lines
1.3 KiB
Bash
|
#!/bin/bash
|
||
|
|
# Simple script to use Microsoft code signing trust from CCADB
|
||
|
|
|
||
|
|
CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?MicrosoftEKUs=Code%20Signing"
|
||
|
|
|
||
|
|
rm -f mscertsign.txt CS.txt
|
||
|
|
wget -O mscertsign.txt ${CSURL}
|
||
|
|
|
||
|
|
echo " Mozilla no longer provides any trust information for code signing, opting only
|
||
|
|
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
|
||
|
|
# the functionality from NSS. The following list of certificate hashes (already
|
||
|
|
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft
|
||
|
|
# for code signing. The Microsoft Trusted Root Certificate Program's inclusion
|
||
|
|
# policy is available for review at:
|
||
|
|
# https://docs.microsoft.com/en-us/security/trusted-root/program-requirements.
|
||
|
|
# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
|
||
|
|
# Mozilla to create a unified trust store.
|
||
|
|
" > CS.txt
|
||
|
|
|
||
|
|
date=`date -u`
|
||
|
|
echo "# List current as of ${date}." >> CS.txt
|
||
|
|
echo -e "# Move this list to \$SSLDIR and use -i to add code signing trust\n" \
|
||
|
|
>> CS.txt
|
||
|
|
|
||
|
|
startlist=`grep -n "^-----BEGIN" mscertsign.txt | cut -d ":" -f 1`
|
||
|
|
for certbegin in ${startlist}; do
|
||
|
|
awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \
|
||
|
|
> ${certbegin}.crt
|
||
|
|
openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt
|
||
|
|
rm ${certbegin}.crt
|
||
|
|
done
|
||
|
|
rm -r mscertsign.txt
|
||
|
|
|