action-hsm-sign/entrypoint.sh

#!/bin/sh

if [ -n "${INPUT_PUBLIC_KEY}" ]; then
  curl -sLO "${INPUT_PUBLIC_KEY}" public_key
fi

dir="$(dirname "${INPUT_FILES}")"
glob="$(basename "${INPUT_FILES}")"
if [ "${glob}" = "**" ]; then
  all_files="$(find "$dir" -type f)"
else
  all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
fi
while IFS=  read -r f; do
  sign_dir="$(dirname "$f")"
  sign_file="$(basename "$f")"
  dest_sig="${sign_dir}/${sign_file}.sig"
  echo "Signing file $f. Signature file destination: ${dest_sig}"
  # We can't use a volume mount because it will use the host volume, and we're
  # not on the host, but in a container. So we'll create a container, copy
  # the file to sign in place, get the signature and copy that back
  container="$(docker create \
    -v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
    -e INPUT_PIN \
    git.lerch.org/lobo/pkcs11:1 \
    -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i artifact -o signature --pin env:INPUT_PIN)"
  docker cp "$f" "${container}":/home/user/artifact
  docker start -a "$container" # let container run, pick up the exit code
  ec=$?
  if [ $ec -ne 0 ]; then
    docker rm "$container"
    exit $ec
  fi
  # We are clear. Copy signature back into the workspace and remove the container
  docker cp "${container}":/home/user/signature "${dest_sig}"
  docker rm "${container}"
  if [ -n "${INPUT_PUBLIC_KEY}" ]; then
    echo "Public key specified. Uploading to sigstore public transparency log"
    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
    ec=$?
    if [ $ec -ne 0 ]; then
      exit $ec
    fi
  fi
done <<ALLFILES_INPUT
$all_files
ALLFILES_INPUT