action Dockerfile/entrypoint
This commit is contained in:
parent
d0d26b7e80
commit
d6ca833927
16
Dockerfile
Normal file
16
Dockerfile
Normal file
|
@ -0,0 +1,16 @@
|
|||
FROM docker:20.10.23-dind-rootless
|
||||
# This is an alpine-based image
|
||||
|
||||
USER root
|
||||
RUN true && \
|
||||
apk add --no-cache curl && \
|
||||
apkArch="$(arch)" && \
|
||||
if [ $apkArch = "x86_64" ]; then apkArch=amd64; fi && \
|
||||
curl -sLO https://github.com/sigstore/rekor/releases/download/v1.0.1/rekor-cli-linux-${apkArch} && \
|
||||
mv rekor-cli-linux-${apkArch} /usr/bin/rekor && \
|
||||
chmod 755 /usr/bin/rekor
|
||||
|
||||
COPY entrypoint.sh /
|
||||
|
||||
USER rootless
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
21
LICENSE
Normal file
21
LICENSE
Normal file
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2023 Emil Lerch
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
16
README.md
Normal file
16
README.md
Normal file
|
@ -0,0 +1,16 @@
|
|||
Notifies using ntfy
|
||||
===================
|
||||
|
||||
Usage:
|
||||
|
||||
```yaml
|
||||
- name: Notify
|
||||
uses: https://git.lerch.org/lobo/action-notify-ntfy@v1
|
||||
if: always()
|
||||
with:
|
||||
# Can use ** glob syntax for all files
|
||||
files: output/**
|
||||
user_pin: ${{ secrets.HSM_USER_PIN }}
|
||||
# if specified, public key will be used to upload artifacts to the sigstore server
|
||||
public_key: https://lerch.org/server_public_key.pem
|
||||
```
|
20
action.yml
Normal file
20
action.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
name: 'HSM Signing'
|
||||
description: 'Signs using HSM'
|
||||
author: 'lobo'
|
||||
inputs:
|
||||
files:
|
||||
description: 'Files to sign'
|
||||
required: true
|
||||
user_pin:
|
||||
description: 'User pin for HSM on build server'
|
||||
required: true
|
||||
slot:
|
||||
description: 'HSM slot used for signing'
|
||||
required: true
|
||||
default: 3
|
||||
public_key:
|
||||
description: 'URL to PEM format public key. Specify only if uploading to sigstore'
|
||||
required: false
|
||||
runs:
|
||||
using: 'docker'
|
||||
image: 'Dockerfile'
|
30
entrypoint.sh
Executable file
30
entrypoint.sh
Executable file
|
@ -0,0 +1,30 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
||||
curl -sLO "${INPUT_PUBLIC_KEY}" public_key
|
||||
fi
|
||||
|
||||
dir="$(dirname "${INPUT_FILES}")"
|
||||
glob="$(basename "${INPUT_FILES}")"
|
||||
if [ "${glob}" = "**" ]; then
|
||||
all_files="$(find "$dir" -type f)"
|
||||
else
|
||||
all_files="$(find "$dir" -maxdepth 1 -name "${glob}")"
|
||||
fi
|
||||
while IFS= read -r f; do
|
||||
sign_dir="$(dirname "$f")"
|
||||
sign_file="$(basename "$f")"
|
||||
dest_sig="${sign_dir}/${sign_file}.sig"
|
||||
echo "Signing file $f. Signature file destination: ${dest_sig}"
|
||||
docker run --rm \
|
||||
-v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
|
||||
-v "${PWD}":/home/user \
|
||||
git.lerch.org/lobo/pkcs11:1 \
|
||||
-s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_USER_PIN
|
||||
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
||||
echo "Public key specified. Uploading to sigstore public transparency log"
|
||||
rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
|
||||
fi
|
||||
done <<ALLFILES_INPUT
|
||||
$all_files
|
||||
ALLFILES_INPUT
|
Loading…
Reference in New Issue
Block a user