2023-03-28 04:01:32 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
dir="$(dirname "${INPUT_FILES}")"
|
|
|
|
glob="$(basename "${INPUT_FILES}")"
|
2023-03-28 06:09:02 +00:00
|
|
|
# Pass these through sort so we can have deterministic output indexing
|
2023-03-28 04:01:32 +00:00
|
|
|
if [ "${glob}" = "**" ]; then
|
2023-03-28 06:09:02 +00:00
|
|
|
all_files="$(find "$dir" -type f |sort)"
|
2023-03-28 04:01:32 +00:00
|
|
|
else
|
2023-03-28 06:09:02 +00:00
|
|
|
all_files="$(find "$dir" -maxdepth 1 -name "${glob}" |sort)"
|
2023-03-28 04:01:32 +00:00
|
|
|
fi
|
2023-03-28 06:09:02 +00:00
|
|
|
i=0
|
2023-03-28 04:01:32 +00:00
|
|
|
while IFS= read -r f; do
|
|
|
|
sign_dir="$(dirname "$f")"
|
|
|
|
sign_file="$(basename "$f")"
|
|
|
|
dest_sig="${sign_dir}/${sign_file}.sig"
|
|
|
|
echo "Signing file $f. Signature file destination: ${dest_sig}"
|
2023-03-28 05:10:17 +00:00
|
|
|
# We can't use a volume mount because it will use the host volume, and we're
|
|
|
|
# not on the host, but in a container. So we'll create a container, copy
|
|
|
|
# the file to sign in place, get the signature and copy that back
|
|
|
|
container="$(docker create \
|
2023-03-28 04:01:32 +00:00
|
|
|
-v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
|
2023-03-28 04:46:07 +00:00
|
|
|
-e INPUT_PIN \
|
2023-03-28 04:01:32 +00:00
|
|
|
git.lerch.org/lobo/pkcs11:1 \
|
2023-03-28 05:10:17 +00:00
|
|
|
-s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i artifact -o signature --pin env:INPUT_PIN)"
|
|
|
|
docker cp "$f" "${container}":/home/user/artifact
|
|
|
|
docker start -a "$container" # let container run, pick up the exit code
|
2023-03-28 04:27:33 +00:00
|
|
|
ec=$?
|
|
|
|
if [ $ec -ne 0 ]; then
|
2023-03-28 05:10:17 +00:00
|
|
|
docker rm "$container"
|
2023-03-28 04:27:33 +00:00
|
|
|
exit $ec
|
|
|
|
fi
|
2023-03-28 05:10:17 +00:00
|
|
|
# We are clear. Copy signature back into the workspace and remove the container
|
|
|
|
docker cp "${container}":/home/user/signature "${dest_sig}"
|
|
|
|
docker rm "${container}"
|
2023-03-28 04:01:32 +00:00
|
|
|
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
2023-03-28 05:50:06 +00:00
|
|
|
echo "Public key url specified. Uploading to sigstore public transparency log"
|
|
|
|
echo "Fetching key from ${INPUT_PUBLIC_KEY}"
|
|
|
|
curl -sLo /tmp/public_key "${INPUT_PUBLIC_KEY}"
|
|
|
|
ec=$?; if [ $ec -ne 0 ]; then exit $ec; fi
|
2023-03-28 06:09:02 +00:00
|
|
|
output=$(rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key /tmp/public_key)
|
|
|
|
ec=$?; echo "$output"; if [ $ec -ne 0 ]; then exit $ec; fi
|
2023-03-28 06:19:20 +00:00
|
|
|
# Index will not be there if the entry already exists
|
|
|
|
# echo "INDEX_${i}=$(echo "$output"|cut -d, -f1|cut -d\ -f5)" >> "${GITHUB_OUTPUT}"
|
|
|
|
# The parsing, though, is identical
|
2023-03-28 06:09:02 +00:00
|
|
|
echo "URL_${i}=$(echo "$output"|cut -d: -f2-|cut -d\ -f2)" >> "${GITHUB_OUTPUT}"
|
|
|
|
echo "SOURCE_${i}=${f}" >> "${GITHUB_OUTPUT}"
|
|
|
|
echo "SIG_${i}=${dest_sig}" >> "${GITHUB_OUTPUT}"
|
|
|
|
i=$((i+1))
|
2023-03-28 04:01:32 +00:00
|
|
|
fi
|
|
|
|
done <<ALLFILES_INPUT
|
|
|
|
$all_files
|
|
|
|
ALLFILES_INPUT
|