35 lines
932 B
Bash
35 lines
932 B
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# Generates an offline-friendly code-signing certificate (self-signed) for NuGet package signing.
|
|
|
|
OUT_DIR=${OUT_DIR:-out/sdk-signing}
|
|
SUBJECT=${SUBJECT:-"/CN=StellaOps SDK Signing/O=StellaOps"}
|
|
DAYS=${DAYS:-3650}
|
|
PFX_NAME=${PFX_NAME:-sdk-signing.pfx}
|
|
PASSWORD=${PASSWORD:-""}
|
|
|
|
mkdir -p "$OUT_DIR"
|
|
|
|
PRIV="$OUT_DIR/sdk-signing.key"
|
|
CRT="$OUT_DIR/sdk-signing.crt"
|
|
PFX="$OUT_DIR/$PFX_NAME"
|
|
|
|
openssl req -x509 -newkey rsa:4096 -sha256 -days "$DAYS" \
|
|
-nodes -subj "$SUBJECT" -keyout "$PRIV" -out "$CRT"
|
|
|
|
openssl pkcs12 -export -out "$PFX" -inkey "$PRIV" -in "$CRT" -passout pass:"$PASSWORD"
|
|
|
|
BASE64_PFX=$(base64 < "$PFX" | tr -d '\n')
|
|
|
|
cat > "$OUT_DIR/README.txt" <<EOF
|
|
PFX file: $PFX
|
|
Password: ${PASSWORD:-<empty>}
|
|
Base64:
|
|
$BASE64_PFX
|
|
Secrets to set:
|
|
SDK_SIGNING_CERT_B64=$BASE64_PFX
|
|
SDK_SIGNING_CERT_PASSWORD=$PASSWORD
|
|
EOF
|
|
|
|
printf "Generated signing cert -> %s (base64 in README)\n" "$PFX"
|