Script for signing CRS releases

sign-crs-release.sh

#!/usr/bin/env bash -e
#
# Script to download the release from GitHub and sign it using the coreruleset GPG key
#
GPG_OPTIONS="-b --default-key security@coreruleset.org --status-fd 0 --armor"
version=$1
formats=("zip" "tar.gz")

echo "CRS Sign release script"
echo "======================="
echo "This script assumes you have the private GPG key for signing"
echo "Also that you have the gh cli command (https://cli.github.com/) and "
echo "you are logged in using gh auth login."
echo "Please check your status using \"gh auth status\"."

if [ -z ${version} ]; then
    echo "$0 needs the version, e.g. 4.0.0 (use only the numbers)"
    exit 1
fi

if ! gh auth status 2>&1 >/dev/null; then
    echo "$0: you need to login using \"gh auth login\"."
    echo "If you have multiple GH accounts, check you are using the correct one, or use \"gh auth switch\""
    exit 1
fi

newdir=$(mktemp -d)
echo "Using ${newdir} for temporary files handling."
cd $newdir

for ext in "${formats[@]}"
do
    echo "Downloading release ${version} - ${ext}"
    if ! gh release download -R coreruleset/coreruleset -A ${ext} v${version}; then
        echo "$0: release v${version} not found. Quitting."
        exit 2
    fi
    echo "Signing files"
    if ! gpg ${GPG_OPTIONS} ./coreruleset-${version}.${ext}; then
        echo "$0: problem GPG signing release"
        exit 3
    fi
    if ! gpg --verify ./coreruleset-${version}.${ext}.asc; then
        echo "$0: bad signature verifying file"
        exit 4
    fi
    if ! gh release upload -R coreruleset/coreruleset v${version} ./coreruleset-${version}.${ext}.asc; then
        echo "$0: couldn't upload ./coreruleset-${version}.${ext}.asc artifact to release."
        exit 5
    fi
done

# cleanup files
rm -rf ${newdir}

echo "Done."