#!/usr/bin/env bash set -euo pipefail # Deterministic DSSE signing helper for Authority gap artefacts (AU1–AU10, RR1–RR10). # Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0. ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" COSIGN_BIN="${COSIGN_BIN:-}" # Detect cosign binary if [[ -z "$COSIGN_BIN" ]]; then if command -v /usr/local/bin/cosign >/dev/null 2>&1; then COSIGN_BIN="/usr/local/bin/cosign" elif command -v cosign >/dev/null 2>&1; then COSIGN_BIN="$(command -v cosign)" elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then COSIGN_BIN="$ROOT/tools/cosign/cosign" else echo "cosign not found; install or set COSIGN_BIN" >&2 exit 1 fi fi # Resolve key TMP_KEY="" if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then KEY_FILE="$COSIGN_KEY_FILE" elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then TMP_KEY="$(mktemp)" echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY" chmod 600 "$TMP_KEY" KEY_FILE="$TMP_KEY" elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then KEY_FILE="$ROOT/tools/cosign/cosign.key" elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2 KEY_FILE="$ROOT/tools/cosign/cosign.dev.key" else echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2 exit 2 fi OUT_BASE="${OUT_DIR:-$ROOT/docs/modules/authority/gaps/dsse/2025-12-04}" if [[ "$OUT_BASE" != /* ]]; then OUT_BASE="$ROOT/$OUT_BASE" fi mkdir -p "$OUT_BASE" ARTEFACTS=( "docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json|authority-scope-role-catalog" "docs/modules/authority/gaps/artifacts/authority-jwks-metadata.schema.json|authority-jwks-metadata.schema" "docs/modules/authority/gaps/artifacts/crypto-profile-registry.v1.json|crypto-profile-registry" "docs/modules/authority/gaps/artifacts/authority-offline-verifier-bundle.v1.json|authority-offline-verifier-bundle" "docs/modules/authority/gaps/artifacts/authority-abac.schema.json|authority-abac.schema" "docs/modules/authority/gaps/artifacts/rekor-receipt-policy.v1.json|rekor-receipt-policy" "docs/modules/authority/gaps/artifacts/rekor-receipt.schema.json|rekor-receipt.schema" "docs/modules/authority/gaps/artifacts/rekor-receipt-bundle.v1.json|rekor-receipt-bundle" ) USE_BUNDLE=0 if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then USE_BUNDLE=1 elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then USE_BUNDLE=1 fi SHA_FILE="$OUT_BASE/SHA256SUMS" : > "$SHA_FILE" for entry in "${ARTEFACTS[@]}"; do IFS="|" read -r path stem <<<"$entry" if [[ ! -f "$ROOT/$path" ]]; then echo "Missing artefact: $path" >&2 exit 3 fi if (( USE_BUNDLE )); then bundle="$OUT_BASE/${stem}.sigstore.json" COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ "$COSIGN_BIN" sign-blob \ --key "$KEY_FILE" \ --yes \ --tlog-upload=false \ --bundle "$bundle" \ "$ROOT/$path" printf "%s %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE" else sig="$OUT_BASE/${stem}.dsse" COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ "$COSIGN_BIN" sign-blob \ --key "$KEY_FILE" \ --yes \ --tlog-upload=false \ --output-signature "$sig" \ "$ROOT/$path" printf "%s %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE" fi printf "%s %s\n" "$(sha256sum "$ROOT/$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$ROOT/$path")" >> "$SHA_FILE" echo "Signed $path" done echo "Signed artefacts written to $OUT_BASE" if [[ -n "$TMP_KEY" ]]; then rm -f "$TMP_KEY" fi