From d6ca833927ebc8efc0ed36b9c64aeab00c4e7f32 Mon Sep 17 00:00:00 2001
From: Emil Lerch <emil@lerch.org>
Date: Mon, 27 Mar 2023 21:01:32 -0700
Subject: [PATCH] action Dockerfile/entrypoint

---
 Dockerfile    | 16 ++++++++++++++++
 LICENSE       | 21 +++++++++++++++++++++
 README.md     | 16 ++++++++++++++++
 action.yml    | 20 ++++++++++++++++++++
 entrypoint.sh | 30 ++++++++++++++++++++++++++++++
 5 files changed, 103 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 action.yml
 create mode 100755 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..4180661
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,16 @@
+FROM docker:20.10.23-dind-rootless
+# This is an alpine-based image
+
+USER root
+RUN true && \
+    apk add --no-cache curl && \
+    apkArch="$(arch)" && \
+    if [ $apkArch = "x86_64" ]; then apkArch=amd64; fi && \
+    curl -sLO https://github.com/sigstore/rekor/releases/download/v1.0.1/rekor-cli-linux-${apkArch} && \
+    mv rekor-cli-linux-${apkArch} /usr/bin/rekor && \
+    chmod 755 /usr/bin/rekor
+
+COPY entrypoint.sh /
+
+USER rootless
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..a339f72
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Emil Lerch
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..27a52f9
--- /dev/null
+++ b/README.md
@@ -0,0 +1,16 @@
+Notifies using ntfy
+===================
+
+Usage:
+
+```yaml
+      - name: Notify
+        uses: https://git.lerch.org/lobo/action-notify-ntfy@v1
+        if: always()
+        with:
+          # Can use ** glob syntax for all files
+          files: output/**
+          user_pin: ${{ secrets.HSM_USER_PIN }}
+          # if specified, public key will be used to upload artifacts to the sigstore server
+          public_key: https://lerch.org/server_public_key.pem
+```
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..d6cfc55
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,20 @@
+name: 'HSM Signing'
+description: 'Signs using HSM'
+author: 'lobo'
+inputs:
+  files:
+    description: 'Files to sign'
+    required: true
+  user_pin:
+    description: 'User pin for HSM on build server'
+    required: true
+  slot:
+    description: 'HSM slot used for signing'
+    required: true
+    default: 3
+  public_key:
+    description: 'URL to PEM format public key. Specify only if uploading to sigstore'
+    required: false
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..270de3f
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+if [ -n "${INPUT_PUBLIC_KEY}" ]; then
+  curl -sLO "${INPUT_PUBLIC_KEY}" public_key
+fi
+
+dir="$(dirname "${INPUT_FILES}")"
+glob="$(basename "${INPUT_FILES}")"
+if [ "${glob}" = "**" ]; then
+  all_files="$(find "$dir" -type f)"
+else
+  all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
+fi
+while IFS=  read -r f; do
+  sign_dir="$(dirname "$f")"
+  sign_file="$(basename "$f")"
+  dest_sig="${sign_dir}/${sign_file}.sig"
+  echo "Signing file $f. Signature file destination: ${dest_sig}"
+  docker run --rm \
+    -v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
+    -v "${PWD}":/home/user \
+    git.lerch.org/lobo/pkcs11:1 \
+    -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_USER_PIN
+  if [ -n "${INPUT_PUBLIC_KEY}" ]; then
+    echo "Public key specified. Uploading to sigstore public transparency log"
+    rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
+  fi
+done <<ALLFILES_INPUT
+$all_files
+ALLFILES_INPUT