2023-03-28 04:01:32 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
|
|
|
curl -sLO "${INPUT_PUBLIC_KEY}" public_key
|
|
|
|
fi
|
|
|
|
|
|
|
|
dir="$(dirname "${INPUT_FILES}")"
|
|
|
|
glob="$(basename "${INPUT_FILES}")"
|
|
|
|
if [ "${glob}" = "**" ]; then
|
|
|
|
all_files="$(find "$dir" -type f)"
|
|
|
|
else
|
|
|
|
all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
|
|
|
|
fi
|
|
|
|
while IFS= read -r f; do
|
|
|
|
sign_dir="$(dirname "$f")"
|
|
|
|
sign_file="$(basename "$f")"
|
|
|
|
dest_sig="${sign_dir}/${sign_file}.sig"
|
|
|
|
echo "Signing file $f. Signature file destination: ${dest_sig}"
|
|
|
|
docker run --rm \
|
|
|
|
-v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
|
|
|
|
-v "${PWD}":/home/user \
|
2023-03-28 04:29:40 +00:00
|
|
|
-e INPUT_USER_PIN \
|
2023-03-28 04:01:32 +00:00
|
|
|
git.lerch.org/lobo/pkcs11:1 \
|
|
|
|
-s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_USER_PIN
|
2023-03-28 04:27:33 +00:00
|
|
|
ec=$?
|
|
|
|
if [ $ec -ne 0 ]; then
|
|
|
|
exit $ec
|
|
|
|
fi
|
2023-03-28 04:01:32 +00:00
|
|
|
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
|
|
|
echo "Public key specified. Uploading to sigstore public transparency log"
|
|
|
|
rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
|
2023-03-28 04:27:33 +00:00
|
|
|
ec=$?
|
|
|
|
if [ $ec -ne 0 ]; then
|
|
|
|
exit $ec
|
|
|
|
fi
|
2023-03-28 04:01:32 +00:00
|
|
|
fi
|
|
|
|
done <<ALLFILES_INPUT
|
|
|
|
$all_files
|
|
|
|
ALLFILES_INPUT
|