up

scripts/policy/sign-policy.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Signs a policy file with cosign and verifies it. Intended for CI and offline use.
+# Requires COSIGN_KEY_B64 (private key PEM base64) or KMS envs; optional COSIGN_PASSWORD.
+
+usage() {
+  cat <<'USAGE'
+Usage: sign-policy.sh --file <path> [--out-dir out/policy-sign]
+Env:
+  COSIGN_KEY_B64   base64-encoded PEM private key (if not using KMS)
+  COSIGN_PASSWORD  passphrase for the key (can be empty for test keys)
+  COSIGN_PUBLIC_KEY_PATH optional path to write public key for verify step
+USAGE
+}
+
+FILE=""
+OUT_DIR="out/policy-sign"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --file) FILE="$2"; shift 2;;
+    --out-dir) OUT_DIR="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown arg: $1" >&2; usage; exit 1;;
+  esac
+done
+
+if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
+if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi
+
+mkdir -p "$OUT_DIR"
+BASENAME=$(basename "$FILE")
+SIG="$OUT_DIR/${BASENAME}.sig"
+PUB_OUT="${COSIGN_PUBLIC_KEY_PATH:-$OUT_DIR/cosign.pub}"
+
+if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
+  KEYFILE="$OUT_DIR/cosign.key"
+  printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEYFILE"
+  chmod 600 "$KEYFILE"
+  export COSIGN_KEY="$KEYFILE"
+fi
+
+export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
+cosign version >/dev/null
+
+cosign sign-blob "$FILE" --output-signature "$SIG"
+cosign public-key --key "$COSIGN_KEY" > "$PUB_OUT"
+cosign verify-blob --key "$PUB_OUT" --signature "$SIG" "$FILE"
+
+printf "Signed %s -> %s\nPublic key -> %s\n" "$FILE" "$SIG" "$PUB_OUT"