#!/bin/bash
# Simple script to use Microsoft code signing trust from CCADB

CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?MicrosoftEKUs=Code%20Signing"

rm -f mscertsign.txt CS.txt
wget -O mscertsign.txt ${CSURL}

echo "# Mozilla no longer provides any trust information for code signing, opting only
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
# the functionality from NSS. The following list of certificate hashes (already
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft
# for code signing. The Microsoft Trusted Root Certificate Program's inclusion
# policy is available for review at:
# https://docs.microsoft.com/en-us/security/trusted-root/program-requirements.
# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
# Mozilla to create a unified trust store.
" > CS.txt

date=`date -u`
echo "# List current as of ${date}." >> CS.txt
echo -e "# Move this list to \$SSLDIR and use -i to add code signing trust\n" \
     >> CS.txt

startlist=`grep -n "^-----BEGIN" mscertsign.txt | cut -d ":" -f 1`
for certbegin in ${startlist}; do
    awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \
        > ${certbegin}.crt
    openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt
    rm ${certbegin}.crt
done
rm -r mscertsign.txt