cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
181 lines
5.6 KiB
Bash
Executable File
181 lines
5.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# minisign signing script for token lists
|
|
# Signs token list files for integrity verification
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
TOKEN_LISTS_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
LISTS_DIR="$TOKEN_LISTS_DIR/lists"
|
|
TOKEN_LIST_FILE="$LISTS_DIR/dbis-138.tokenlist.json"
|
|
PUBLIC_KEY_FILE="$TOKEN_LISTS_DIR/minisign.pub"
|
|
SIGNATURE_FILE="${TOKEN_LIST_FILE}.sig"
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
|
|
|
|
# Check if minisign is available
|
|
if ! command -v minisign &> /dev/null; then
|
|
log_error "minisign is required but not installed"
|
|
log_info "Installation:"
|
|
log_info " macOS: brew install minisign"
|
|
log_info " Ubuntu/Debian: apt-get install minisign"
|
|
log_info " From source: https://github.com/jedisct1/minisign"
|
|
exit 1
|
|
fi
|
|
|
|
# Generate keypair (only if keys don't exist)
|
|
generate_keypair() {
|
|
local private_key_file="${MINISIGN_PRIVATE_KEY_FILE:-$TOKEN_LISTS_DIR/minisign.key}"
|
|
|
|
if [[ -f "$private_key_file" ]]; then
|
|
log_warn "Private key already exists: $private_key_file"
|
|
log_info "Skipping key generation"
|
|
return 0
|
|
fi
|
|
|
|
log_info "Generating minisign keypair..."
|
|
log_info "Private key will be saved to: $private_key_file"
|
|
log_info "Public key will be saved to: $PUBLIC_KEY_FILE"
|
|
log_warn "Keep the private key secure and never commit it to the repository!"
|
|
|
|
# Generate keypair (minisign will prompt for password)
|
|
if minisign -G -s "$private_key_file" -p "$PUBLIC_KEY_FILE"; then
|
|
log_success "Keypair generated successfully"
|
|
log_info ""
|
|
log_info "Next steps:"
|
|
log_info "1. Store the private key securely (e.g., password manager, secure vault)"
|
|
log_info "2. Add private key to GitHub Secrets as MINISIGN_PRIVATE_KEY"
|
|
log_info "3. Commit the public key: git add $PUBLIC_KEY_FILE"
|
|
log_info "4. Set MINISIGN_PRIVATE_KEY_FILE environment variable if using custom path"
|
|
else
|
|
log_error "Failed to generate keypair"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Sign token list
|
|
sign_list() {
|
|
local private_key_file="${MINISIGN_PRIVATE_KEY_FILE:-$TOKEN_LISTS_DIR/minisign.key}"
|
|
local private_key_content="${MINISIGN_PRIVATE_KEY:-}"
|
|
|
|
if [[ ! -f "$TOKEN_LIST_FILE" ]]; then
|
|
log_error "Token list file not found: $TOKEN_LIST_FILE"
|
|
exit 1
|
|
fi
|
|
|
|
log_info "Signing token list: $TOKEN_LIST_FILE"
|
|
|
|
# Check if private key exists or is provided via environment
|
|
if [[ -n "$private_key_content" ]]; then
|
|
# Use private key from environment variable
|
|
log_info "Using private key from MINISIGN_PRIVATE_KEY environment variable"
|
|
echo "$private_key_content" | minisign -S -s /dev/stdin -m "$TOKEN_LIST_FILE" -x "$SIGNATURE_FILE" || {
|
|
log_error "Failed to sign token list"
|
|
exit 1
|
|
}
|
|
elif [[ -f "$private_key_file" ]]; then
|
|
# Use private key file
|
|
minisign -S -s "$private_key_file" -m "$TOKEN_LIST_FILE" -x "$SIGNATURE_FILE" || {
|
|
log_error "Failed to sign token list"
|
|
exit 1
|
|
}
|
|
else
|
|
log_error "Private key not found"
|
|
log_info "Provide private key via:"
|
|
log_info " 1. File: Set MINISIGN_PRIVATE_KEY_FILE environment variable"
|
|
log_info " 2. Environment: Set MINISIGN_PRIVATE_KEY environment variable"
|
|
log_info " 3. Generate new: Run '$0 --generate-key'"
|
|
exit 1
|
|
fi
|
|
|
|
log_success "Token list signed successfully"
|
|
log_info "Signature file: $SIGNATURE_FILE"
|
|
|
|
# Display signature info
|
|
if [[ -f "$SIGNATURE_FILE" ]]; then
|
|
log_info ""
|
|
log_info "Signature preview:"
|
|
head -n 2 "$SIGNATURE_FILE" | head -c 100
|
|
echo "..."
|
|
log_info ""
|
|
fi
|
|
}
|
|
|
|
# Verify signature
|
|
verify_signature() {
|
|
if [[ ! -f "$TOKEN_LIST_FILE" ]]; then
|
|
log_error "Token list file not found: $TOKEN_LIST_FILE"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f "$SIGNATURE_FILE" ]]; then
|
|
log_error "Signature file not found: $SIGNATURE_FILE"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f "$PUBLIC_KEY_FILE" ]]; then
|
|
log_error "Public key file not found: $PUBLIC_KEY_FILE"
|
|
log_info "Public key should be at: $PUBLIC_KEY_FILE"
|
|
exit 1
|
|
fi
|
|
|
|
log_info "Verifying signature..."
|
|
|
|
if minisign -V -p "$PUBLIC_KEY_FILE" -m "$TOKEN_LIST_FILE" -x "$SIGNATURE_FILE"; then
|
|
log_success "Signature verification passed!"
|
|
return 0
|
|
else
|
|
log_error "Signature verification failed!"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Main
|
|
main() {
|
|
local command="${1:-sign}"
|
|
|
|
case "$command" in
|
|
--generate-key|-g)
|
|
generate_keypair
|
|
;;
|
|
--sign|-s)
|
|
sign_list
|
|
;;
|
|
--verify|-v)
|
|
verify_signature
|
|
;;
|
|
sign)
|
|
sign_list
|
|
;;
|
|
verify)
|
|
verify_signature
|
|
;;
|
|
*)
|
|
echo "Usage: $0 [command]"
|
|
echo ""
|
|
echo "Commands:"
|
|
echo " sign, -s Sign the token list (default)"
|
|
echo " verify, -v Verify the signature"
|
|
echo " --generate-key, -g Generate a new keypair"
|
|
echo ""
|
|
echo "Environment variables:"
|
|
echo " MINISIGN_PRIVATE_KEY_FILE Path to private key file"
|
|
echo " MINISIGN_PRIVATE_KEY Private key content (for CI/CD)"
|
|
exit 1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
main "${1:-sign}"
|
|
|