action Dockerfile/entrypoint

Dockerfile

@@ -0,0 +1,16 @@
+FROM docker:20.10.23-dind-rootless
+# This is an alpine-based image
+
+USER root
+RUN true && \
+    apk add --no-cache curl && \
+    apkArch="$(arch)" && \
+    if [ $apkArch = "x86_64" ]; then apkArch=amd64; fi && \
+    curl -sLO https://github.com/sigstore/rekor/releases/download/v1.0.1/rekor-cli-linux-${apkArch} && \
+    mv rekor-cli-linux-${apkArch} /usr/bin/rekor && \
+    chmod 755 /usr/bin/rekor
+
+COPY entrypoint.sh /
+
+USER rootless
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Emil Lerch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,16 @@
+Notifies using ntfy
+===================
+
+Usage:
+
+```yaml
+      - name: Notify
+        uses: https://git.lerch.org/lobo/action-notify-ntfy@v1
+        if: always()
+        with:
+          # Can use ** glob syntax for all files
+          files: output/**
+          user_pin: ${{ secrets.HSM_USER_PIN }}
+          # if specified, public key will be used to upload artifacts to the sigstore server
+          public_key: https://lerch.org/server_public_key.pem
+```

action.yml

@@ -0,0 +1,20 @@
+name: 'HSM Signing'
+description: 'Signs using HSM'
+author: 'lobo'
+inputs:
+  files:
+    description: 'Files to sign'
+    required: true
+  user_pin:
+    description: 'User pin for HSM on build server'
+    required: true
+  slot:
+    description: 'HSM slot used for signing'
+    required: true
+    default: 3
+  public_key:
+    description: 'URL to PEM format public key. Specify only if uploading to sigstore'
+    required: false
+runs:
+  using: 'docker'
+  image: 'Dockerfile'

entrypoint.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+if [ -n "${INPUT_PUBLIC_KEY}" ]; then
+  curl -sLO "${INPUT_PUBLIC_KEY}" public_key
+fi
+
+dir="$(dirname "${INPUT_FILES}")"
+glob="$(basename "${INPUT_FILES}")"
+if [ "${glob}" = "**" ]; then
+  all_files="$(find "$dir" -type f)"
+else
+  all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
+fi
+while IFS=  read -r f; do
+  sign_dir="$(dirname "$f")"
+  sign_file="$(basename "$f")"
+  dest_sig="${sign_dir}/${sign_file}.sig"
+  echo "Signing file $f. Signature file destination: ${dest_sig}"
+  docker run --rm \
+    -v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
+    -v "${PWD}":/home/user \
+    git.lerch.org/lobo/pkcs11:1 \
+    -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_USER_PIN
+  if [ -n "${INPUT_PUBLIC_KEY}" ]; then
+    echo "Public key specified. Uploading to sigstore public transparency log"
+    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
+  fi
+done <<ALLFILES_INPUT
+$all_files
+ALLFILES_INPUT