git.stella-ops.org/.gitea/scripts/sign/sign-authority-gaps.sh

#!/usr/bin/env bash
set -euo pipefail

# Deterministic DSSE signing helper for Authority gap artefacts (AU1–AU10, RR1–RR10).
# Prefers system cosign v3 (bundle) and falls back to repo-pinned v2.6.0.

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
COSIGN_BIN="${COSIGN_BIN:-}"

# Detect cosign binary
if [[ -z "$COSIGN_BIN" ]]; then
  if command -v /usr/local/bin/cosign >/dev/null 2>&1; then
    COSIGN_BIN="/usr/local/bin/cosign"
  elif command -v cosign >/dev/null 2>&1; then
    COSIGN_BIN="$(command -v cosign)"
  elif [[ -x "$ROOT/tools/cosign/cosign" ]]; then
    COSIGN_BIN="$ROOT/tools/cosign/cosign"
  else
    echo "cosign not found; install or set COSIGN_BIN" >&2
    exit 1
  fi
fi

# Resolve key
TMP_KEY=""
if [[ -n "${COSIGN_KEY_FILE:-}" ]]; then
  KEY_FILE="$COSIGN_KEY_FILE"
elif [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
  TMP_KEY="$(mktemp)"
  echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$TMP_KEY"
  chmod 600 "$TMP_KEY"
  KEY_FILE="$TMP_KEY"
elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
  KEY_FILE="$ROOT/tools/cosign/cosign.key"
elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
  echo "[warn] Using development key (tools/cosign/cosign.dev.key); NOT for production/Evidence Locker" >&2
  KEY_FILE="$ROOT/tools/cosign/cosign.dev.key"
else
  echo "No signing key: set COSIGN_PRIVATE_KEY_B64 or COSIGN_KEY_FILE, or place key at tools/cosign/cosign.key" >&2
  exit 2
fi

OUT_BASE="${OUT_DIR:-$ROOT/docs/modules/authority/gaps/dsse/2025-12-04}"
if [[ "$OUT_BASE" != /* ]]; then
  OUT_BASE="$ROOT/$OUT_BASE"
fi
mkdir -p "$OUT_BASE"

ARTEFACTS=(
  "docs/modules/authority/gaps/artifacts/authority-scope-role-catalog.v1.json|authority-scope-role-catalog"
  "docs/modules/authority/gaps/artifacts/authority-jwks-metadata.schema.json|authority-jwks-metadata.schema"
  "docs/modules/authority/gaps/artifacts/crypto-profile-registry.v1.json|crypto-profile-registry"
  "docs/modules/authority/gaps/artifacts/authority-offline-verifier-bundle.v1.json|authority-offline-verifier-bundle"
  "docs/modules/authority/gaps/artifacts/authority-abac.schema.json|authority-abac.schema"
  "docs/modules/authority/gaps/artifacts/rekor-receipt-policy.v1.json|rekor-receipt-policy"
  "docs/modules/authority/gaps/artifacts/rekor-receipt.schema.json|rekor-receipt.schema"
  "docs/modules/authority/gaps/artifacts/rekor-receipt-bundle.v1.json|rekor-receipt-bundle"
)

USE_BUNDLE=0
if $COSIGN_BIN version --json 2>/dev/null | grep -q '"GitVersion":"v3'; then
  USE_BUNDLE=1
elif $COSIGN_BIN version 2>/dev/null | grep -q 'GitVersion:.*v3\.'; then
  USE_BUNDLE=1
fi

SHA_FILE="$OUT_BASE/SHA256SUMS"
: > "$SHA_FILE"

for entry in "${ARTEFACTS[@]}"; do
  IFS="|" read -r path stem <<<"$entry"
  if [[ ! -f "$ROOT/$path" ]]; then
    echo "Missing artefact: $path" >&2
    exit 3
  fi
  if (( USE_BUNDLE )); then
    bundle="$OUT_BASE/${stem}.sigstore.json"
    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
    "$COSIGN_BIN" sign-blob \
      --key "$KEY_FILE" \
      --yes \
      --tlog-upload=false \
      --bundle "$bundle" \
      "$ROOT/$path"
    printf "%s  %s\n" "$(sha256sum "$bundle" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$bundle")" >> "$SHA_FILE"
  else
    sig="$OUT_BASE/${stem}.dsse"
    COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
    "$COSIGN_BIN" sign-blob \
      --key "$KEY_FILE" \
      --yes \
      --tlog-upload=false \
      --output-signature "$sig" \
      "$ROOT/$path"
    printf "%s  %s\n" "$(sha256sum "$sig" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$sig")" >> "$SHA_FILE"
  fi

  printf "%s  %s\n" "$(sha256sum "$ROOT/$path" | cut -d' ' -f1)" "$(realpath --relative-to="$OUT_BASE" "$ROOT/$path")" >> "$SHA_FILE"
  echo "Signed $path"
done

echo "Signed artefacts written to $OUT_BASE"

if [[ -n "$TMP_KEY" ]]; then
  rm -f "$TMP_KEY"
fi