From eed15262979d7ab083b48806b6ec468d8fd357c3 Mon Sep 17 00:00:00 2001 From: Emil Lerch Date: Mon, 27 Mar 2023 22:10:17 -0700 Subject: [PATCH] copy artifact/signature into/out of child container --- entrypoint.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index e9c8c30..5dc5b3d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -16,16 +16,24 @@ while IFS= read -r f; do sign_file="$(basename "$f")" dest_sig="${sign_dir}/${sign_file}.sig" echo "Signing file $f. Signature file destination: ${dest_sig}" - docker run --rm \ + # We can't use a volume mount because it will use the host volume, and we're + # not on the host, but in a container. So we'll create a container, copy + # the file to sign in place, get the signature and copy that back + container="$(docker create \ -v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \ - -v "${PWD}":/home/user \ -e INPUT_PIN \ git.lerch.org/lobo/pkcs11:1 \ - -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_PIN + -s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i artifact -o signature --pin env:INPUT_PIN)" + docker cp "$f" "${container}":/home/user/artifact + docker start -a "$container" # let container run, pick up the exit code ec=$? if [ $ec -ne 0 ]; then + docker rm "$container" exit $ec fi + # We are clear. Copy signature back into the workspace and remove the container + docker cp "${container}":/home/user/signature "${dest_sig}" + docker rm "${container}" if [ -n "${INPUT_PUBLIC_KEY}" ]; then echo "Public key specified. Uploading to sigstore public transparency log" rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key