up

2025-11-25 22:09:44 +02:00
parent 6bee1fdcf5
commit 9f6e6f7fb3
116 changed files with 4495 additions and 730 deletions
--- a/scripts/policy/rotate-key.sh
+++ b/scripts/policy/rotate-key.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Generates a new cosign keypair for policy signing.
+# Outputs PEMs in out/policy-sign/keys and base64 ready for CI secrets.
+
+OUT_DIR=${OUT_DIR:-out/policy-sign/keys}
+PREFIX=${PREFIX:-policy-cosign}
+PASSWORD=${COSIGN_PASSWORD:-}
+
+mkdir -p "$OUT_DIR"
+KEY_PREFIX="$OUT_DIR/$PREFIX"
+
+if ! command -v cosign >/dev/null 2>&1; then
+  echo "cosign is required on PATH" >&2
+  exit 1
+fi
+
+export COSIGN_PASSWORD="$PASSWORD"
+cosign version >/dev/null
+cosign generate-key-pair --output-key-prefix "$KEY_PREFIX" >/dev/null
+
+BASE64_PRIV=$(base64 < "${KEY_PREFIX}.key" | tr -d '\n')
+BASE64_PUB=$(base64 < "${KEY_PREFIX}.pub" | tr -d '\n')
+
+cat > "$OUT_DIR/README.txt" <<EOF
+Key prefix: $KEY_PREFIX
+Private key (base64): $BASE64_PRIV
+Public key (base64): $BASE64_PUB
+Set secrets:
+  POLICY_COSIGN_KEY_B64=$BASE64_PRIV
+  POLICY_COSIGN_PUB_B64=$BASE64_PUB
+EOF
+
+printf "Generated keys under %s\n" "$OUT_DIR"