commit f1cc6bc762c337d9cbc7187d2958dcb54007f9ff Author: Georg Koppen gk@torproject.org Date: Tue Nov 26 18:16:10 2019 +0000
Bug 32556: Keep track of entitlement files and add signing script templates --- tools/signing/README | 7 ++++ tools/signing/alpha.entitlements.xml | 53 ++++++++++++++++++++++++++++++ tools/signing/authenticode-signing.sh | 48 +++++++++++++++++++++++++++ tools/signing/authenticode-timestamping.sh | 46 ++++++++++++++++++++++++++ tools/signing/gatekeeper-bundling.sh | 49 +++++++++++++++++++++++++++ tools/signing/gatekeeper-signing.sh | 51 ++++++++++++++++++++++++++++ tools/signing/notarization.sh | 50 ++++++++++++++++++++++++++++ tools/signing/stable.entitlements.xml | 53 ++++++++++++++++++++++++++++++ tools/signing/stapler.sh | 47 ++++++++++++++++++++++++++ tools/signing/tbb-signing.sh | 38 +++++++++++++++++++++ 10 files changed, 442 insertions(+)
diff --git a/tools/signing/README b/tools/signing/README new file mode 100644 index 0000000..e18a761 --- /dev/null +++ b/tools/signing/README @@ -0,0 +1,7 @@ +The files in this directory are a large part of what we use when signing +releases. The scripts are meant to be templates, though, at the moment +omitting specific paths and credential information. + +Additionally, when starting to used them for an own signing setup don't forget +to adapt the locale list if needed. The entitlement files, however, are kept +up-to-date. diff --git a/tools/signing/alpha.entitlements.xml b/tools/signing/alpha.entitlements.xml new file mode 100644 index 0000000..3097c05 --- /dev/null +++ b/tools/signing/alpha.entitlements.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and all executable files + contained within it during codesigning of production channel builds that + will be notarized. These entitlements enable hardened runtime protections + to the extent possible for Firefox. Some supporting binaries within the + bundle could use more restrictive entitlements, but they are launched by + the main Firefox process and therefore inherit the parent process + entitlements. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page in-time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Don't allow debugging of the executable. Debuggers will be prevented + from attaching to running executables. Notarization does not permit + access to get-task-allow (as documented by Apple) so this must be + disabled on notarized builds. --> + <key>com.apple.security.get-task-allow</key><false/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + + <!-- For SmartCardServices(7) --> + <key>com.apple.security.smartcard</key><true/> + </dict> +</plist> diff --git a/tools/signing/authenticode-signing.sh b/tools/signing/authenticode-signing.sh new file mode 100755 index 0000000..7e2e6f0 --- /dev/null +++ b/tools/signing/authenticode-signing.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +set -e + +read -sp "Enter passphrase: " pass +echo +for i in `find . -name "*.exe" -print` +do + /path/to/patched/osslsigncode/build/osslsigncode \ + -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ + -pkcs11module /usr/lib/libeTPkcs11.so \ + -pass $pass \ + -h sha256 \ + -certs $path/to/cert \ + -key $key \ + $i $i-signed +done +rename -f 's/-signed//' *-signed diff --git a/tools/signing/authenticode-timestamping.sh b/tools/signing/authenticode-timestamping.sh new file mode 100755 index 0000000..77973b7 --- /dev/null +++ b/tools/signing/authenticode-timestamping.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +set -e + +COUNT=0 +for i in `find . -name "*.exe" -print` +do + /path/to/patched/osslsigncode add \ + -t http://timestamp.digicert.com \ + -p socks://127.0.0.1:9050 \ + $i $i-timestamped + COUNT=$((COUNT + 1)) + +done +echo "Timestamped $COUNT .exe files, now renaming" +rename -f 's/-timestamped//' *-timestamped diff --git a/tools/signing/gatekeeper-bundling.sh b/tools/signing/gatekeeper-bundling.sh new file mode 100755 index 0000000..742bc61 --- /dev/null +++ b/tools/signing/gatekeeper-bundling.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +TORBROWSER_VERSION=$1 +if [ -z $TORBROWSER_VERSION ]; +then + echo "Please call this script with a Tor Browser version!" + exit 1 +fi +BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +builddir=/path/to/the/build/dir +mkdir $builddir/$TORBROWSER_VERSION-signed +for LANG in $BUNDLE_LOCALES +do + cd $builddir/dmg + unzip -q $builddir/$TORBROWSER_VERSION/tb-${TORBROWSER_VERSION}_$LANG-stapled.zip + cd .. + $builddir/ddmg.sh $builddir/$TORBROWSER_VERSION-signed/TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg $builddir/dmg/ + rm -rf 'dmg/Tor Browser.app' +done diff --git a/tools/signing/gatekeeper-signing.sh b/tools/signing/gatekeeper-signing.sh new file mode 100755 index 0000000..3f31f82 --- /dev/null +++ b/tools/signing/gatekeeper-signing.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +TORBROWSER_VERSION=$1 +if [ -z "$TORBROWSER_VERSION" ]; +then + echo "Please call this script with a Tor Browser version!" + exit 1 +fi +ENTITLEMENTS=/path/to/stable.entitlements.xml +BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +for LANG in $BUNDLE_LOCALES +do + hdiutil attach TorBrowser-${TORBROWSER_VERSION}-osx64_$LANG.dmg + cp -rf "/Volumes/Tor Browser/Tor Browser.app" "Tor Browser.app" + echo "Signing Tor Browser_$LANG.app" + codesign -vvv --deep -o runtime --entitlements="$ENTITLEMENTS" --timestamp -f -s "$ID" "Tor Browser.app/" + echo "Zipping up" + zip -qr tb-${TORBROWSER_VERSION}_${LANG}.zip "Tor Browser.app" + rm -rf "Tor Browser.app" + hdiutil detach "/Volumes/Tor Browser" +done diff --git a/tools/signing/notarization.sh b/tools/signing/notarization.sh new file mode 100755 index 0000000..eb29e74 --- /dev/null +++ b/tools/signing/notarization.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +TORBROWSER_VERSION=$1 +if [ -z "$TORBROWSER_VERSION" ]; +then + echo "Please call this script with a Tor Browser version!" + exit 1 +fi +BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +for LANG in $BUNDLE_LOCALES +do + mkdir $LANG + cd $LANG + mv ../tb-${TORBROWSER_VERSION}_$LANG.zip . + unzip -q tb-${TORBROWSER_VERSION}_$LANG.zip + echo "Notarizing $LANG..." + xcrun altool --notarize-app -t osx -f tb-${TORBROWSER_VERSION}_$LANG.zip + --primary-bundle-id org.torproject.torbrowser -u USERNAME -p @env:PW --output-format xml + cd .. +done diff --git a/tools/signing/stable.entitlements.xml b/tools/signing/stable.entitlements.xml new file mode 100644 index 0000000..3097c05 --- /dev/null +++ b/tools/signing/stable.entitlements.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and all executable files + contained within it during codesigning of production channel builds that + will be notarized. These entitlements enable hardened runtime protections + to the extent possible for Firefox. Some supporting binaries within the + bundle could use more restrictive entitlements, but they are launched by + the main Firefox process and therefore inherit the parent process + entitlements. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page in-time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Don't allow debugging of the executable. Debuggers will be prevented + from attaching to running executables. Notarization does not permit + access to get-task-allow (as documented by Apple) so this must be + disabled on notarized builds. --> + <key>com.apple.security.get-task-allow</key><false/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + + <!-- For SmartCardServices(7) --> + <key>com.apple.security.smartcard</key><true/> + </dict> +</plist> diff --git a/tools/signing/stapler.sh b/tools/signing/stapler.sh new file mode 100755 index 0000000..cdbb466 --- /dev/null +++ b/tools/signing/stapler.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +TORBROWSER_VERSION=$1 +if [ -z "$TORBROWSER_VERSION" ]; +then + echo "Please call this script with a Tor Browser version!" + exit 1 +fi +BUNDLE_LOCALES="ar ca cs da de el en-US es-AR es-ES fa fr ga-IE he hu id is it ja ka ko mk nb-NO nl pl pt-BR ro ru sv-SE tr vi zh-CN zh-TW" +for LANG in $BUNDLE_LOCALES +do + echo "Stapling $LANG..." + cd $LANG + xcrun stapler staple Tor\ Browser.app + zip -qr ../tb-${TORBROWSER_VERSION}_$LANG-stapled.zip Tor\ Browser.app + cd .. +done diff --git a/tools/signing/tbb-signing.sh b/tools/signing/tbb-signing.sh new file mode 100755 index 0000000..42ea235 --- /dev/null +++ b/tools/signing/tbb-signing.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# Copyright (c) 2019, The Tor Project, Inc. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: + +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following disclaimer +# in the documentation and/or other materials provided with the +# distribution. +# +# * Neither the names of the copyright owners nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +export GNUPGHOME=/path/to/gpg-key +read -sp "Enter passphrase: " pass +for i in `find . -name "*.dmg" -o -name "*.exe" -o -name "*.tar.xz" -o -name "*.txt" -o -name "*.zip" -o -name "*.tar.gz" -o -name "*.apk"` +do + echo "$pass" | gpg -absu $key! --passphrase-fd 0 $i +done