Skip to content

Commit

Permalink
contrib/sign-release.sh: allow secret via stdin
Browse files Browse the repository at this point in the history 
Providing the secret via stdin has the advantage of not needing to store the secret
in cleartext somewhere on the filesystem.
Instead it can be decrypted on the fly and provided via stdin.

A few examples:

gpg -d singkey.gpg | contrib/sign-release.sh 3.0.6

age -d -i ~/.ssh/id_ed25519 signkey.age | ./contrib/sign-release.sh 3.0.6

gopass show signkey | ./contrib/sign-release.sh 3.0.6

keepassxc-cli show -k ~/db.key ~/db.kdbx signkey -a Password | contrib/sign-release.sh 3.0.6
  • Loading branch information
@herbetom
herbetom committed Nov 23, 2024
1 parent f41a193 commit f73d90a
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions contrib/sign-release.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@
set -euo pipefail

function usage() {
echo "Usage: $0 <release-version> <private-key-path>"
echo "Usage: $0 <release-version> [<private-key-path>]"
echo "Example: $0 2.0.0 /path/to/private-key.ecdsakey"
echo ""
echo "The script expects the private key via stdin if no private-key-path is provided."
exit 1
}

Expand Down Expand Up @@ -46,7 +48,7 @@ function create_signature() {
split_manifest "$manifest" "$upper" "$lower"

# Sign upper part of manifest
ecdsasign "$upper" < "$secret"
ecdsasign "$upper" <<< "$secret"

# Remove temporary files
rm -f "$upper" "$lower"
Expand Down Expand Up @@ -91,9 +93,12 @@ GITHUB_REPOSITORY_URL="${GITHUB_REPOSITORY_URL:-$DEFAULT_GITHUB_REPOSITORY_URL}"

RELEASE_VERSION="${1:-}"
PRIVATE_KEY_PATH="${2:-}"
PRIVATE_KEY=""

[ -z "$RELEASE_VERSION" ] && usage
[ -z "$PRIVATE_KEY_PATH" ] && usage
[ -n "$PRIVATE_KEY_PATH" ] && PRIVATE_KEY="$(cat "$PRIVATE_KEY_PATH")"
[ -z "$PRIVATE_KEY" ] && [ ! -t 0 ] && PRIVATE_KEY=$(cat)
[ -z "$PRIVATE_KEY" ] && usage

# Create Temporary working directory
TEMP_DIR="$(mktemp -d)"
Expand Down Expand Up @@ -126,7 +131,7 @@ for manifest_path in "${TEMP_DIR}/"*.manifest; do

# Get Signature
echo "-- Signature for $manifest_branch_name --"
create_signature "$manifest_path" "$PRIVATE_KEY_PATH"
create_signature "$manifest_path" "$PRIVATE_KEY"
done

# Remove Temporary working directory
Expand Down

0 comments on commit f73d90a

Please sign in to comment.