9f6e6f7fb3
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
35 lines
926 B
Bash
35 lines
926 B
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
# Generates a new cosign keypair for policy signing.
|
|
# Outputs PEMs in out/policy-sign/keys and base64 ready for CI secrets.
|
|
|
|
OUT_DIR=${OUT_DIR:-out/policy-sign/keys}
|
|
PREFIX=${PREFIX:-policy-cosign}
|
|
PASSWORD=${COSIGN_PASSWORD:-}
|
|
|
|
mkdir -p "$OUT_DIR"
|
|
KEY_PREFIX="$OUT_DIR/$PREFIX"
|
|
|
|
if ! command -v cosign >/dev/null 2>&1; then
|
|
echo "cosign is required on PATH" >&2
|
|
exit 1
|
|
fi
|
|
|
|
export COSIGN_PASSWORD="$PASSWORD"
|
|
cosign version >/dev/null
|
|
cosign generate-key-pair --output-key-prefix "$KEY_PREFIX" >/dev/null
|
|
|
|
BASE64_PRIV=$(base64 < "${KEY_PREFIX}.key" | tr -d '\n')
|
|
BASE64_PUB=$(base64 < "${KEY_PREFIX}.pub" | tr -d '\n')
|
|
|
|
cat > "$OUT_DIR/README.txt" <<EOF
|
|
Key prefix: $KEY_PREFIX
|
|
Private key (base64): $BASE64_PRIV
|
|
Public key (base64): $BASE64_PUB
|
|
Set secrets:
|
|
POLICY_COSIGN_KEY_B64=$BASE64_PRIV
|
|
POLICY_COSIGN_PUB_B64=$BASE64_PUB
|
|
EOF
|
|
|
|
printf "Generated keys under %s\n" "$OUT_DIR"
|