Created
March 21, 2024 11:57
-
-
Save fzipi/c7a8a32f782d254b50dc17a1e9089420 to your computer and use it in GitHub Desktop.
Script for signing CRS releases
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash -e | |
# | |
# Script to download the release from GitHub and sign it using the coreruleset GPG key | |
# | |
GPG_OPTIONS="-b --default-key security@coreruleset.org --status-fd 0 --armor" | |
version=$1 | |
formats=("zip" "tar.gz") | |
echo "CRS Sign release script" | |
echo "=======================" | |
echo "This script assumes you have the private GPG key for signing" | |
echo "Also that you have the gh cli command (https://cli.github.com/) and " | |
echo "you are logged in using gh auth login." | |
echo "Please check your status using \"gh auth status\"." | |
if [ -z ${version} ]; then | |
echo "$0 needs the version, e.g. 4.0.0 (use only the numbers)" | |
exit 1 | |
fi | |
if ! gh auth status 2>&1 >/dev/null; then | |
echo "$0: you need to login using \"gh auth login\"." | |
echo "If you have multiple GH accounts, check you are using the correct one, or use \"gh auth switch\"" | |
exit 1 | |
fi | |
newdir=$(mktemp -d) | |
echo "Using ${newdir} for temporary files handling." | |
cd $newdir | |
for ext in "${formats[@]}" | |
do | |
echo "Downloading release ${version} - ${ext}" | |
if ! gh release download -R coreruleset/coreruleset -A ${ext} v${version}; then | |
echo "$0: release v${version} not found. Quitting." | |
exit 2 | |
fi | |
echo "Signing files" | |
if ! gpg ${GPG_OPTIONS} ./coreruleset-${version}.${ext}; then | |
echo "$0: problem GPG signing release" | |
exit 3 | |
fi | |
if ! gpg --verify ./coreruleset-${version}.${ext}.asc; then | |
echo "$0: bad signature verifying file" | |
exit 4 | |
fi | |
if ! gh release upload -R coreruleset/coreruleset v${version} ./coreruleset-${version}.${ext}.asc; then | |
echo "$0: couldn't upload ./coreruleset-${version}.${ext}.asc artifact to release." | |
exit 5 | |
fi | |
done | |
# cleanup files | |
rm -rf ${newdir} | |
echo "Done." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment