forked from aws/aws-cdk
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a script to generate a revocation cert (aws#466)
Make the key handling a bit more flexible as well. Introducing a script 'with-signing-key.sh', which will preload GPG with the key and then execute another command (which can be signing, revoking, or something else).
- Loading branch information
Showing
5 changed files
with
130 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| #!/bin/bash | ||
| set -euo pipefail | ||
|
|
||
| if [[ "${KEY_AVAILABLE:-}" == "" ]]; then | ||
| echo "Run this script using with-signing-key.sh" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if ! $KEY_AVAILABLE; then | ||
| echo "No key in scope, cannot generate revocation cert." >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| echo $KEY_PASSPHRASE | gpg \ | ||
| ${GPG_PASSPHRASE_FROM_STDIN} \ | ||
| --gen-revoke $KEY_ID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| #!/bin/bash | ||
| set -euo pipefail | ||
|
|
||
| if [[ "${1:-}" == "" ]]; then | ||
| echo "Usage: sign-files.sh FILE [FILE...]" >&2 | ||
| echo "">&2 | ||
| echo "Creates detached signature as FILE.sig." >&2 | ||
| exit 1 | ||
| else | ||
| if [ ! -f ${1} ]; then | ||
| echo "Asked to sign ${1}, but no such file exists." | ||
| exit 1 | ||
| fi | ||
| fi | ||
|
|
||
| if [[ "${KEY_AVAILABLE:-}" == "" ]]; then | ||
| echo "Run this script using with-signing-key.sh" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if ! $KEY_AVAILABLE; then | ||
| echo "No key available, not signing anything." >&2 | ||
| exit 0 # Note: NOT an error | ||
| fi | ||
|
|
||
| while [[ "${1:-}" != "" ]]; do | ||
| echo "Signing $1..." >&2 | ||
| echo $KEY_PASSPHRASE | gpg \ | ||
| ${GPG_PASSPHRASE_FROM_STDIN} \ | ||
| --local-user $KEY_ID \ | ||
| --batch --yes --no-tty \ | ||
| --output $1.sig \ | ||
| --detach-sign $1 | ||
| shift | ||
| done | ||
|
|
||
| echo "Done!" >&2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| #!/bin/bash | ||
| # Run another command with the signing key for the current scope, | ||
| # if set. | ||
| # | ||
| # Upon running the subcommand, $KEY_AVAILABLE will be set to either | ||
| # 'true' or 'false'. If $KEY_AVAILABLE is 'true', the following | ||
| # variables will be set as well: | ||
| # | ||
| # $KEY_ID | ||
| # $KEY_PASSPHRASE | ||
| # $GPG_PASSPHRASE_FROM_STDIN | ||
| # | ||
| # The environment variable KEY_PASSPHRASE will be set to | ||
| # the key's passphrase, to pass in like so: | ||
| # | ||
| # echo $KEY_PASSPHRASE | gpg ${GPG_PASSPHRASE_FROM_STDIN} \ | ||
| # ...other gpg arguments... | ||
| set -euo pipefail | ||
|
|
||
| if [[ "${1:-}" == "" ]]; then | ||
| echo "Usage: with-signing-key.sh CMD [ARG...]" >&2 | ||
| echo "">&2 | ||
| echo "Run another command with a preloaded GPG keyring." >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [[ "${SIGNING_KEY_SCOPE:-}" == "" ]]; then | ||
| echo "SIGNING_KEY_SCOPE not set, running without a key" >&2 | ||
| export KEY_AVAILABLE=false | ||
| else | ||
| tmpdir=$(mktemp -d) | ||
| trap "find $tmpdir -type f -exec rm {} \\; && rm -rf $tmpdir" EXIT | ||
|
|
||
| SECRET=$SIGNING_KEY_SCOPE/SigningKey | ||
|
|
||
| # Use secrets manager to obtain the key and passphrase into a JSON file | ||
| echo "Retrieving key $SECRET..." >&2 | ||
| aws secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt | ||
|
|
||
| value-from-secret() { | ||
| node -e "console.log(JSON.parse(require('fs').readFileSync('$tmpdir/secret.txt', { encoding: 'utf-8' })).$1)" | ||
| } | ||
|
|
||
| export KEY_PASSPHRASE=$(value-from-secret Passphrase) | ||
|
|
||
| # GnuPG will occasionally bail out with "gpg: <whatever> failed: Inappropriate ioctl for device", the following attempts to fix | ||
| export GPG_TTY=$(tty) | ||
| export GNUPGHOME=$tmpdir | ||
|
|
||
| echo "Importing key..." >&2 | ||
| gpg --allow-secret-key-import \ | ||
| --batch --yes --no-tty \ | ||
| --import <(value-from-secret PrivateKey) | ||
|
|
||
| export KEY_ID=$(gpg --list-keys --with-colons | grep pub | cut -d: -f5) | ||
|
|
||
| # Prepare environment variables with flags to GPG | ||
| # --passphrase-fd 0 \ | ||
| # ${EXTRA_GPG_OPTS} \ | ||
| GPG_PASSPHRASE_FROM_STDIN="--passphrase-fd 0" | ||
| if [[ "$(uname)" == "Darwin" ]]; then | ||
| # On Mac, we must pass this to disable a prompt for | ||
| # passphrase, but option is not recognized on Linux. | ||
| GPG_PASSPHRASE_FROM_STDIN="${GPG_PASSPHRASE_FROM_STDIN} --pinentry-mode loopback" | ||
| fi | ||
| export GPG_PASSPHRASE_FROM_STDIN | ||
|
|
||
| export KEY_AVAILABLE=true | ||
| fi | ||
|
|
||
| # Execute remaining commands | ||
| echo "Running: $@" >&2 | ||
| "$@" |