github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release/sign-ssh

github.com/nats-io/nsc/v2@v2.8.7-0.20240307184528-efd7023c6896/release/sign-ssh (about)

     1  #!/usr/bin/env bash
     2  set -euo pipefail
     3  #
     4  # This file exists to fix the impedance mismatch between cosign running one
     5  # command and ssh-keygen using either a fixed conflicting filename or stdout.
     6  #
     7  # This is failing badly on Ubuntu 20.04 stock ssh-keygen (8.2), so I'm leaving
     8  # this release tool in, but removing the invocation.  22.04 should be out soon
     9  # so we will try again with that.  As long as signature _verification_ works
    10  # portably, we still want a "tool everyone has" signature verifier.
    11  
    12  progname="$(dirname "$0")"
    13  stderr() { printf >&2 '%s: %s\n' "$progname" "$*"; }
    14  die_n() { e="$1"; shift; stderr "$@"; exit "$e"; }
    15  EX_USAGE=64
    16  
    17  [[ -n "${SIGNING_KEY_SSH:-}" ]] || die_n $EX_USAGE 'missing env var SIGNING_KEY_SSH'
    18  
    19  artifact="${1:?need a file to sign}"
    20  signature="${2:?need a file to create}"
    21  
    22  # ssh-keygen won't read the key from a pipe
    23  
    24  keyfile="$(mktemp)"
    25  printf >> "$keyfile" '%s\n' "$SIGNING_KEY_SSH"
    26  
    27  set +e
    28  ssh-keygen -Y sign -n file \
    29  	-f "$keyfile" \
    30  	< "$artifact" > "$signature"
    31  ev=$?
    32  rm -f "$keyfile"
    33  exit $ev