github.com/nats-io/nsc@v0.0.0-20221206222106-35db9400b257/release/sign-cosign

github.com/nats-io/nsc@v0.0.0-20221206222106-35db9400b257/release/sign-cosign (about)

     1  #!/usr/bin/env bash
     2  set -euo pipefail
     3  #
     4  # The accepted cosign invocation pattern for using an environment variable as
     5  # the key is to use <( ... ) substitution, which is not POSIX sh,
     6  # so we use bash.
     7  #
     8  # If <https://github.com/sigstore/cosign/issues/1776> is resolved then the need
     9  # for this wrapper goes away.
    10  
    11  progname="$(dirname "$0")"
    12  stderr() { printf >&2 '%s: %s\n' "$progname" "$*"; }
    13  die_n() { e="$1"; shift; stderr "$@"; exit "$e"; }
    14  EX_USAGE=64
    15  
    16  [[ -n "${SIGNING_KEY_COSIGN:-}" ]] || die_n $EX_USAGE 'missing env var SIGNING_KEY_COSIGN'
    17  
    18  artifact="${1:?need a file to sign}"
    19  signature="${2:?need a file to create}"
    20  
    21  : "${COSIGN_PASSWORD:=}"
    22  export COSIGN_PASSWORD
    23  
    24  [[ -f "$artifact" ]] || die_n $EX_USAGE "missing input file: ${artifact@Q}"
    25  if [[ -f "$signature" ]]; then
    26  	stderr "deleting pre-existing signature file: ${signature@Q}"
    27  	rm -f -- "$signature"
    28  fi
    29  
    30  cosign sign-blob \
    31  	--key <( printf '%s\n' "$SIGNING_KEY_COSIGN" ) \
    32  	--output-signature "$signature" \
    33  	"$artifact"