action-hsm-sign/entrypoint.sh

#!/bin/sh

if [ -n "${INPUT_PUBLIC_KEY}" ]; then
  curl -sLO "${INPUT_PUBLIC_KEY}" public_key
fi

dir="$(dirname "${INPUT_FILES}")"
glob="$(basename "${INPUT_FILES}")"
if [ "${glob}" = "**" ]; then
  all_files="$(find "$dir" -type f)"
else
  all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
fi
while IFS=  read -r f; do
  sign_dir="$(dirname "$f")"
  sign_file="$(basename "$f")"
  dest_sig="${sign_dir}/${sign_file}.sig"
  echo "Signing file $f. Signature file destination: ${dest_sig}"
  docker run --rm \
    -v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
    -v "${PWD}":/home/user \
    git.lerch.org/lobo/pkcs11:1 \
    -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_USER_PIN
  if [ -n "${INPUT_PUBLIC_KEY}" ]; then
    echo "Public key specified. Uploading to sigstore public transparency log"
    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
  fi
done <<ALLFILES_INPUT
$all_files
ALLFILES_INPUT