copy artifact/signature into/out of child container
This commit is contained in:
parent
ef1192b9be
commit
eed1526297
|
@ -16,16 +16,24 @@ while IFS= read -r f; do
|
||||||
sign_file="$(basename "$f")"
|
sign_file="$(basename "$f")"
|
||||||
dest_sig="${sign_dir}/${sign_file}.sig"
|
dest_sig="${sign_dir}/${sign_file}.sig"
|
||||||
echo "Signing file $f. Signature file destination: ${dest_sig}"
|
echo "Signing file $f. Signature file destination: ${dest_sig}"
|
||||||
docker run --rm \
|
# We can't use a volume mount because it will use the host volume, and we're
|
||||||
|
# not on the host, but in a container. So we'll create a container, copy
|
||||||
|
# the file to sign in place, get the signature and copy that back
|
||||||
|
container="$(docker create \
|
||||||
-v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
|
-v /run/pcscd/pcscd.comm:/run/pcscd/pcscd.comm:ro \
|
||||||
-v "${PWD}":/home/user \
|
|
||||||
-e INPUT_PIN \
|
-e INPUT_PIN \
|
||||||
git.lerch.org/lobo/pkcs11:1 \
|
git.lerch.org/lobo/pkcs11:1 \
|
||||||
-s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i "$f" -o "${dest_sig}" --pin env:INPUT_PIN
|
-s --id "${INPUT_SLOT}" -m SHA256-RSA-PKCS -i artifact -o signature --pin env:INPUT_PIN)"
|
||||||
|
docker cp "$f" "${container}":/home/user/artifact
|
||||||
|
docker start -a "$container" # let container run, pick up the exit code
|
||||||
ec=$?
|
ec=$?
|
||||||
if [ $ec -ne 0 ]; then
|
if [ $ec -ne 0 ]; then
|
||||||
|
docker rm "$container"
|
||||||
exit $ec
|
exit $ec
|
||||||
fi
|
fi
|
||||||
|
# We are clear. Copy signature back into the workspace and remove the container
|
||||||
|
docker cp "${container}":/home/user/signature "${dest_sig}"
|
||||||
|
docker rm "${container}"
|
||||||
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
if [ -n "${INPUT_PUBLIC_KEY}" ]; then
|
||||||
echo "Public key specified. Uploading to sigstore public transparency log"
|
echo "Public key specified. Uploading to sigstore public transparency log"
|
||||||
rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
|
rekor upload --artifact "$f" --signature "${dest_sig}" --pki-format x509 --public-key public_key
|
||||||
|
|
Loading…
Reference in New Issue
Block a user