#!/usr/bin/env bash set -euo pipefail # Deterministic DSSE signing helper for Signals artifacts. # Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0. ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" COSIGN_BIN="${COSIGN_BIN:-}" # Detect cosign binary (v3 preferred). if [[ -z "$COSIGN_BIN" ]]; then if command -v /usr/local/bin/cosign >/dev/null 2>&1; then COSIGN_BIN="/usr/local/bin/cosign" elif command -v cosign >/dev/null 2>&1; then COSIGN_BIN="$(command -v cosign)" elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then COSIGN_BIN="$ROOT/tools/cosign/cosign" else echo "cosign not found; install or set COSIGN_BIN" >&2 exit 1 fi fi # Resolve key TMP_KEY="" if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then KEY_FILE="$COSIGN_KEY_FILE" elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then TMP_KEY="$(mktemp)" echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY" chmod 600 "$TMP_KEY" KEY_FILE="$TMP_KEY" elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then KEY_FILE="$ROOT/tools/cosign/cosign.key" else echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2 exit 2 fi OUT_BASE="${OUT_DIR:-$ROOT/evidence-locker/signals/2025-12-01}" mkdir -p "$OUT_BASE" ARTIFACTS=( "decay/confidence_decay_config.yaml|stella.ops/confidenceDecayConfig@v1|confidence_decay_config" "unknowns/unknowns_scoring_manifest.json|stella.ops/unknownsScoringManifest@v1|unknowns_scoring_manifest" "heuristics/heuristics.catalog.json|stella.ops/heuristicCatalog@v1|heuristics_catalog" ) COSIGN_VERSION="$($COSIGN_BIN version | head -n1)" USE_BUNDLE=0 [[ "$COSIGN_VERSION" == *"v3."* ]] && USE_BUNDLE=1 pushd "$ROOT/docs/modules/signals" >/dev/null SHA_FILE="$OUT_BASE/SHA256SUMS" : > "$SHA_FILE" for entry in "${ARTIFACTS[@]}"; do IFS="|" read -r path predicate stem <<<"$entry" if [[ ! -f "$path" ]]; then echo "Missing artifact: $path" >&2 exit 3 fi if (( USE_BUNDLE )); then bundle="$OUT_BASE/${stem}.sigstore.json" COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ "$COSIGN_BIN" sign-blob \ --key "$KEY_FILE" \ --predicate-type "$predicate" \ --bundle "$bundle" \ "$path" printf "%s %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE" else sig="$OUT_BASE/${stem}.dsse" COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \ "$COSIGN_BIN" sign-blob \ --key "$KEY_FILE" \ --predicate-type "$predicate" \ --output-signature "$sig" \ "$path" printf "%s %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE" fi printf "%s %s\n" "$(sha256sum "$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$path")" >> "$SHA_FILE" done popd >/dev/null echo "Signed artifacts written to $OUT_BASE" if [[ -n "$TMP_KEY" ]]; then rm -f "$TMP_KEY" fi