dbd517b279
- Update dbis_core, cross-chain-pmm-lps, explorer-monorepo, metamask-integration, pr-workspace/chains - Omit embedded publish git dirs and empty placeholders from index Made-with: Cursor
132 lines
3.1 KiB
Bash
Executable File
132 lines
3.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
|
|
|
SECURE_DIR_DEFAULT="${HOME}/.secure-secrets"
|
|
SECRET_FILE_DEFAULT="${SECURE_DIR_DEFAULT}/chain138-keeper.env"
|
|
EXPORT_FILE_DEFAULT="${PROJECT_ROOT}/.env.keeper.local"
|
|
|
|
SECRET_FILE="${KEEPER_SECRET_FILE:-$SECRET_FILE_DEFAULT}"
|
|
EXPORT_FILE="${KEEPER_EXPORT_FILE:-$EXPORT_FILE_DEFAULT}"
|
|
FORCE=0
|
|
NO_EXPORT=0
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: $(basename "$0") [--force] [--no-export-file] [--secret-file PATH] [--export-file PATH]
|
|
|
|
Generates a dedicated Chain 138 keeper signer, stores the raw private key outside the repo,
|
|
and writes a gitignored local helper that sources it.
|
|
|
|
Defaults:
|
|
secret file: $SECRET_FILE_DEFAULT
|
|
export file: $EXPORT_FILE_DEFAULT
|
|
|
|
The secret file contains:
|
|
KEEPER_PRIVATE_KEY=0x...
|
|
KEEPER_SIGNER_ADDRESS=0x...
|
|
|
|
The export file does not contain the secret. It only sources the secret file.
|
|
EOF
|
|
}
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--secret-file)
|
|
SECRET_FILE="$2"
|
|
shift 2
|
|
;;
|
|
--export-file)
|
|
EXPORT_FILE="$2"
|
|
shift 2
|
|
;;
|
|
--force)
|
|
FORCE=1
|
|
shift
|
|
;;
|
|
--no-export-file)
|
|
NO_EXPORT=1
|
|
shift
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1" >&2
|
|
usage >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
command -v openssl >/dev/null 2>&1 || { echo "openssl is required" >&2; exit 1; }
|
|
command -v cast >/dev/null 2>&1 || { echo "cast is required" >&2; exit 1; }
|
|
|
|
if [[ -f "$SECRET_FILE" && "$FORCE" -ne 1 ]]; then
|
|
echo "Refusing to overwrite existing secret file: $SECRET_FILE" >&2
|
|
echo "Re-run with --force to replace it." >&2
|
|
exit 1
|
|
fi
|
|
|
|
umask 077
|
|
mkdir -p "$(dirname "$SECRET_FILE")"
|
|
chmod 700 "$(dirname "$SECRET_FILE")" 2>/dev/null || true
|
|
|
|
KEEPER_PRIVATE_KEY=""
|
|
KEEPER_SIGNER_ADDRESS=""
|
|
for _ in $(seq 1 8); do
|
|
candidate="0x$(openssl rand -hex 32)"
|
|
if addr="$(cast wallet address --private-key "$candidate" 2>/dev/null)"; then
|
|
KEEPER_PRIVATE_KEY="$candidate"
|
|
KEEPER_SIGNER_ADDRESS="$addr"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [[ -z "$KEEPER_PRIVATE_KEY" || -z "$KEEPER_SIGNER_ADDRESS" ]]; then
|
|
echo "Failed to generate a valid keeper private key" >&2
|
|
exit 1
|
|
fi
|
|
|
|
cat >"$SECRET_FILE" <<EOF
|
|
# Generated by $(basename "$0") on $(date -Iseconds)
|
|
KEEPER_PRIVATE_KEY=$KEEPER_PRIVATE_KEY
|
|
KEEPER_SIGNER_ADDRESS=$KEEPER_SIGNER_ADDRESS
|
|
EOF
|
|
chmod 600 "$SECRET_FILE"
|
|
|
|
if [[ "$NO_EXPORT" -ne 1 ]]; then
|
|
cat >"$EXPORT_FILE" <<EOF
|
|
# Generated by $(basename "$0") on $(date -Iseconds)
|
|
# Local helper only; this file contains no secret material.
|
|
export KEEPER_SECRET_FILE="${SECRET_FILE}"
|
|
if [ -f "\${KEEPER_SECRET_FILE}" ]; then
|
|
set -a
|
|
# shellcheck source=/dev/null
|
|
source "\${KEEPER_SECRET_FILE}"
|
|
set +a
|
|
fi
|
|
EOF
|
|
chmod 600 "$EXPORT_FILE"
|
|
fi
|
|
|
|
cat <<EOF
|
|
Keeper signer generated.
|
|
Address: $KEEPER_SIGNER_ADDRESS
|
|
Secret: $SECRET_FILE
|
|
EOF
|
|
|
|
if [[ "$NO_EXPORT" -ne 1 ]]; then
|
|
cat <<EOF
|
|
Export: $EXPORT_FILE
|
|
|
|
Next:
|
|
1. source "$EXPORT_FILE"
|
|
2. grant KEEPER_ROLE / allow the signer where required
|
|
3. install KEEPER_PRIVATE_KEY on the runtime that submits performUpkeep()
|
|
EOF
|
|
fi
|