21 lines
900 B
Bash
21 lines
900 B
Bash
#!/usr/bin/env bash
|
|
# Verifies signing prerequisites without requiring the actual key contents.
|
|
set -euo pipefail
|
|
if [[ -z "${MIRROR_SIGN_KEY_B64:-}" ]]; then
|
|
if [[ "${REQUIRE_PROD_SIGNING:-0}" == "1" ]]; then
|
|
echo "[error] MIRROR_SIGN_KEY_B64 is required for production signing; set the secret before running." >&2
|
|
exit 2
|
|
fi
|
|
echo "[warn] MIRROR_SIGN_KEY_B64 is not set; ci-sign.sh will fall back to embedded test key (non-production)." >&2
|
|
fi
|
|
# basic base64 sanity check
|
|
if ! printf "%s" "$MIRROR_SIGN_KEY_B64" | base64 -d >/dev/null 2>&1; then
|
|
echo "MIRROR_SIGN_KEY_B64 is not valid base64" >&2
|
|
exit 3
|
|
fi
|
|
# ensure scripts exist
|
|
for f in scripts/mirror/ci-sign.sh scripts/mirror/sign_thin_bundle.py scripts/mirror/verify_thin_bundle.py; do
|
|
[[ -x "$f" || -f "$f" ]] || { echo "$f missing" >&2; exit 4; }
|
|
done
|
|
echo "Signing prerequisites present (key env set, scripts available)."
|