#!/bin/bash # Run another command with the signing key for the current scope, # if set. # # Upon running the subcommand, $KEY_AVAILABLE will be set to either # 'true' or 'false'. If $KEY_AVAILABLE is 'true', the following # variables will be set as well: # # $KEY_ID # $KEY_PASSPHRASE # $GPG_PASSPHRASE_FROM_STDIN # # The environment variable KEY_PASSPHRASE will be set to # the key's passphrase, to pass in like so: # # echo $KEY_PASSPHRASE | gpg ${GPG_PASSPHRASE_FROM_STDIN} \ # ...other gpg arguments... set -euo pipefail if [[ "${1:-}" == "" ]]; then echo "Usage: with-signing-key.sh CMD [ARG...]" >&2 echo "">&2 echo "Run another command with a preloaded GPG keyring." >&2 exit 1 fi if [[ "${SIGNING_KEY_ARN:-}" == "" ]]; then echo "SIGNING_KEY_ARN not set, running without a key" >&2 export KEY_AVAILABLE=false else tmpdir=$(mktemp -d) trap "find $tmpdir -type f -exec rm {} \\; && rm -rf $tmpdir" EXIT # Use secrets manager to obtain the key and passphrase into a JSON file echo "Retrieving key $SIGNING_KEY_ARN..." >&2 aws secretsmanager get-secret-value --secret-id "$SIGNING_KEY_ARN" --output text --query SecretString > $tmpdir/secret.txt value-from-secret() { node -e "console.log(JSON.parse(require('fs').readFileSync('$tmpdir/secret.txt', { encoding: 'utf-8' })).$1)" } export KEY_PASSPHRASE=$(value-from-secret Passphrase) # GnuPG will occasionally bail out with "gpg: failed: Inappropriate ioctl for device", the following attempts to fix export GPG_TTY=$(tty) export GNUPGHOME=$tmpdir echo "Importing key..." >&2 gpg --allow-secret-key-import \ --batch --yes --no-tty \ --import <(value-from-secret PrivateKey) export KEY_ID=$(gpg --list-keys --with-colons | grep pub | cut -d: -f5) # Prepare environment variables with flags to GPG # --passphrase-fd 0 \ # ${EXTRA_GPG_OPTS} \ export GPG_PASSPHRASE_FROM_STDIN="--passphrase-fd 0 --pinentry-mode loopback" export KEY_AVAILABLE=true fi # Execute remaining commands echo "Running: $@" >&2 "$@"