CD/CD consolidation
This commit is contained in:
StellaOps Bot
@@ -1,50 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
# Signs a policy file with cosign and verifies it. Intended for CI and offline use.
|
||||
# Requires COSIGN_KEY_B64 (private key PEM base64) or KMS envs; optional COSIGN_PASSWORD.
|
||||
|
||||
usage() {
|
||||
cat <<'USAGE'
|
||||
Usage: sign-policy.sh --file <path> [--out-dir out/policy-sign]
|
||||
Env:
|
||||
COSIGN_KEY_B64 base64-encoded PEM private key (if not using KMS)
|
||||
COSIGN_PASSWORD passphrase for the key (can be empty for test keys)
|
||||
COSIGN_PUBLIC_KEY_PATH optional path to write public key for verify step
|
||||
USAGE
|
||||
}
|
||||
|
||||
FILE=""
|
||||
OUT_DIR="out/policy-sign"
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--file) FILE="$2"; shift 2;;
|
||||
--out-dir) OUT_DIR="$2"; shift 2;;
|
||||
-h|--help) usage; exit 0;;
|
||||
*) echo "Unknown arg: $1" >&2; usage; exit 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
|
||||
if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi
|
||||
|
||||
mkdir -p "$OUT_DIR"
|
||||
BASENAME=$(basename "$FILE")
|
||||
SIG="$OUT_DIR/${BASENAME}.sig"
|
||||
PUB_OUT="${COSIGN_PUBLIC_KEY_PATH:-$OUT_DIR/cosign.pub}"
|
||||
|
||||
if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
|
||||
KEYFILE="$OUT_DIR/cosign.key"
|
||||
printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEYFILE"
|
||||
chmod 600 "$KEYFILE"
|
||||
export COSIGN_KEY="$KEYFILE"
|
||||
fi
|
||||
|
||||
export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
|
||||
cosign version >/dev/null
|
||||
|
||||
cosign sign-blob "$FILE" --output-signature "$SIG"
|
||||
cosign public-key --key "$COSIGN_KEY" > "$PUB_OUT"
|
||||
cosign verify-blob --key "$PUB_OUT" --signature "$SIG" "$FILE"
|
||||
|
||||
printf "Signed %s -> %s\nPublic key -> %s\n" "$FILE" "$SIG" "$PUB_OUT"
|
||||
Reference in New Issue
Block a user