github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release/sign-cosign

github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release/sign-cosign (about)

     1  #!/usr/bin/env bash
     2  set -euo pipefail
     3  #
     4  # The accepted cosign invocation pattern for using an environment variable as
     5  # the key is to use <( ... ) substitution, which is not POSIX sh,
     6  # so we use bash.
     7  #
     8  # If <https://github.com/sigstore/cosign/issues/1776> is resolved then the need
     9  # for this wrapper goes away.
    10  
    11  progname="$(dirname "$0")"
    12  stderr() { printf >&2 '%s: %s\n' "$progname" "$*"; }
    13  die_n() { e="$1"; shift; stderr "$@"; exit "$e"; }
    14  EX_USAGE=64
    15  
    16  [[ -n "${SIGNING_KEY_COSIGN:-}" ]] || die_n $EX_USAGE 'missing env var SIGNING_KEY_COSIGN'
    17  
    18  artifact="${1:?need a file to sign}"
    19  signature="${2:?need a file to create}"
    20  
    21  : "${COSIGN_PASSWORD:=}"
    22  export COSIGN_PASSWORD
    23  
    24  [[ -f "$artifact" ]] || die_n $EX_USAGE "missing input file: ${artifact@Q}"
    25  if [[ -f "$signature" ]]; then
    26  	stderr "deleting pre-existing signature file: ${signature@Q}"
    27  	rm -f -- "$signature"
    28  fi
    29  
    30  # We redirect stdin from /dev/null to skip any terminal prompts
    31  # cosign 2.x: requires --yes to say that it's okay to upload to transparency logs
    32  cosign sign-blob \
    33  	--key <( printf '%s\n' "$SIGNING_KEY_COSIGN" ) \
    34  	--output-signature "$signature" \
    35  	--yes \
    36  	"$artifact" \
    37  	</dev/null