git.stella-ops.org/tools/cosign/sign-signals.sh

#!/usr/bin/env bash
set -euo pipefail

# Deterministic DSSE signing helper for Signals artifacts.
# Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0.

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
COSIGN_BIN="${COSIGN_BIN:-}"

# Detect cosign binary (v3 preferred).
if [[ -z "$COSIGN_BIN" ]]; then
  if command -v /usr/local/bin/cosign >/dev/null 2>&1; then
    COSIGN_BIN="/usr/local/bin/cosign"
  elif command -v cosign >/dev/null 2>&1; then
    COSIGN_BIN="$(command -v cosign)"
  elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then
    COSIGN_BIN="$ROOT/tools/cosign/cosign"
  else
    echo "cosign not found; install or set COSIGN_BIN" >&2
    exit 1
  fi
fi

# Resolve key
TMP_KEY=""
if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then
  KEY_FILE="$COSIGN_KEY_FILE"
elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
  TMP_KEY="$(mktemp)"
  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY"
  chmod 600 "$TMP_KEY"
  KEY_FILE="$TMP_KEY"
elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
  KEY_FILE="$ROOT/tools/cosign/cosign.key"
elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
  echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
  KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
else
  echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
  exit 2
fi

OUT_BASE="${OUT_DIR:-$ROOT/evidence-locker/signals/2025-12-01}"
# Normalize OUT_BASE to absolute to avoid pushd-relative path issues.
if [[ "$OUT_BASE" != /* ]]; then
  OUT_BASE="$ROOT/$OUT_BASE"
fi
mkdir -p "$OUT_BASE"

ARTIFACTS=(
  "decay/confidence_decay_config.yaml|stella.ops/confidenceDecayConfig@v1|confidence_decay_config"
  "unknowns/unknowns_scoring_manifest.json|stella.ops/unknownsScoringManifest@v1|unknowns_scoring_manifest"
  "heuristics/heuristics.catalog.json|stella.ops/heuristicCatalog@v1|heuristics_catalog"
)

USE_BUNDLE=0
if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
  USE_BUNDLE=1
elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
  USE_BUNDLE=1
fi

pushd "$ROOT/docs/modules/signals" >/dev/null

SHA_FILE="$OUT_BASE/SHA256SUMS"
: > "$SHA_FILE"

for entry in "${ARTIFACTS[@]}"; do
  IFS="|" read -r path predicate stem <<<"$entry"
  if [[ ! -f "$path" ]]; then
    echo "Missing artifact: $path" >&2
    exit 3
  fi

  if (( USE_BUNDLE )); then
    bundle="$OUT_BASE/${stem}.sigstore.json"
    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
    "$COSIGN_BIN" sign-blob \
      --key "$KEY_FILE" \
      --yes \
      --tlog-upload=false \
      --bundle "$bundle" \
      "$path"
    printf "%s  %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
  else
    sig="$OUT_BASE/${stem}.dsse"
    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
    "$COSIGN_BIN" sign-blob \
      --key "$KEY_FILE" \
      --yes \
      --tlog-upload=false \
      --output-signature "$sig" \
      "$path"
    printf "%s  %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"
  fi

  printf "%s  %s\n" "$(sha256sum "$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$path")" >> "$SHA_FILE"
done

popd >/dev/null

echo "Signed artifacts written to $OUT_BASE"

if [[ -n "$TMP_KEY" ]]; then
  rm -f "$TMP_KEY"
fi