Skip to content

Commit

Permalink
Update to use new secret naming scheme so we can have multiple keys
Browse files Browse the repository at this point in the history
  • Loading branch information
Rico Huijbers committed May 30, 2018
1 parent a809b67 commit 19fa33f
Showing 1 changed file with 17 additions and 12 deletions.
29 changes: 17 additions & 12 deletions sign.sh
Original file line number Diff line number Diff line change
@@ -1,32 +1,37 @@
#!/bin/bash
set -euo pipefail

if [[ "${1:-}" == "" ]]; then
echo "Usage: sign.sh FILE" >&2
if [[ "${2:-}" == "" ]]; then
echo "Usage: sign.sh ARTIFACTTYPE FILE [FILE...]" >&2
echo "">&2
echo "Creates detached signature as FILE.sig." >&2
exit 1
fi


tmpdir=$(mktemp -d)
trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT

SECRET=CDK/SigningKey
SECRET=CDK/$1/SigningKey

# Use secrets manager to obtain the key and passphrase into a JSON file
echo "Retrieving key..." >&2
echo "Retrieving key $SECRET..." >&2
aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt
passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])")

echo "Importing key..." >&2
gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])")

echo "Signing $1..." >&2
echo $passphrase | gpg \
--homedir $tmpdir \
--local-user aws-cdk@amazon.com \
--batch --yes \
--passphrase-fd 0 \
--output $1.sig \
--detach-sign $1
while [[ "${2:-}" != "" ]]; do
echo "Signing $2..." >&2
echo $passphrase | gpg \
--homedir $tmpdir \
--local-user aws-cdk@amazon.com \
--batch --yes \
--passphrase-fd 0 \
--output $2.sig \
--detach-sign $2
shift
done

echo "Done!" >&2

0 comments on commit 19fa33f

Please sign in to comment.