-
Notifications
You must be signed in to change notification settings - Fork 1
/
sign.sh
executable file
·57 lines (46 loc) · 1.54 KB
/
sign.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/bash
set -euo pipefail
if [[ "${1:-}" == "" ]]; then
echo "Usage: sign.sh FILE [FILE...]" >&2
echo "">&2
echo "Creates detached signature as FILE.sig." >&2
exit 1
else
if [ ! -f ${1} ]; then
echo "Asked to sign ${1}, but no such file exists."
exit 1
fi
fi
if [[ "${SIGNING_KEY_SCOPE:-}" == "" ]]; then
echo "SIGNING_KEY_SCOPE not set; not signing artifacts." >&2
exit 0
fi
tmpdir=$(mktemp -d)
trap "find $tmpdir -type f -exec shred {} \\; && rm -rf $tmpdir" EXIT
SECRET=$SIGNING_KEY_SCOPE/SigningKey
# Use secrets manager to obtain the key and passphrase into a JSON file
echo "Retrieving key $SECRET..." >&2
aws secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt
value-from-secret() {
node -e "console.log(JSON.parse(require('fs').readFileSync('$tmpdir/secret.txt', { encoding: 'utf-8' })).$1)"
}
passphrase=$(value-from-secret Passphrase)
# GnuPG will occasionally bail out with "gpg: <whatever> failed: Inappropriate ioctl for device", the following attempts to fix
export GPG_TTY=$(tty)
echo "Importing key..." >&2
gpg --homedir $tmpdir \
--allow-secret-key-import \
--batch --yes --no-tty \
--import <(value-from-secret PrivateKey)
while [[ "${1:-}" != "" ]]; do
echo "Signing $1..." >&2
echo $passphrase | gpg \
--homedir $tmpdir \
--local-user [email protected] \
--batch --yes --no-tty \
--passphrase-fd 0 \
--output $1.sig \
--detach-sign $1
shift
done
echo "Done!" >&2