diff options
author | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-01-21 18:59:10 -0500 |
---|---|---|
committer | Dave Heller <hellerda@linux.vnet.ibm.com> | 2018-01-21 18:59:10 -0500 |
commit | be30b66c24e981fc4a8c5f998657e256677e6690 (patch) | |
tree | 14acdd3c0fe01e9659dacba27ccd52a3d955159a | |
parent | 5a193d760b2a1d685a3ec97cef3fddc7b6326323 (diff) | |
download | sb-signing-utils-be30b66c24e981fc4a8c5f998657e256677e6690.tar.gz sb-signing-utils-be30b66c24e981fc4a8c5f998657e256677e6690.zip |
Add bulkSign.sh for independent mode
A helper script to handle a batch of signing requests, in stand-alone
operation, to be signed with the same set of keys. Useful for handling
the multiple signing requests exported by op-build in independent mode.
Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com>
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | Makefile.lite | 4 | ||||
-rwxr-xr-x | bulkSign.sh | 120 |
3 files changed, 123 insertions, 3 deletions
diff --git a/Makefile.am b/Makefile.am index 466d9e3..58e99e8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -27,7 +27,7 @@ ACLOCAL_AMFLAGS = -I m4 bin_PROGRAMS = create-container print-container hashkeys -dist_bin_SCRIPTS = crtSignedContainer.sh sign-with-local-keys.sh +dist_bin_SCRIPTS = bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh EXTRA_DIST = ccan container.c diff --git a/Makefile.lite b/Makefile.lite index c83f6f4..b52b51c 100644 --- a/Makefile.lite +++ b/Makefile.lite @@ -18,9 +18,9 @@ bindir = $(exec_prefix)/bin install: cp create-container print-container hashkeys "$(bindir)" - cp crtSignedContainer.sh sign-with-local-keys.sh "$(bindir)" + cp bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh "$(bindir)" uninstall: cd "$(bindir)" && $(RM) create-container print-container hashkeys - cd "$(bindir)" && $(RM) crtSignedContainer.sh sign-with-local-keys.sh + cd "$(bindir)" && $(RM) bulkSign.sh crtSignedContainer.sh sign-with-local-keys.sh diff --git a/bulkSign.sh b/bulkSign.sh new file mode 100755 index 0000000..90fc228 --- /dev/null +++ b/bulkSign.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# +# Script to handle signing requests in bulk. +# Intended for stand-alone independent mode signing. +# + +# Defaults, initial values +P=${0##*/} + +DEBUG_ARGS="" + +RC=0 + +# +# Functions +# +usage () { + echo "" + echo " Options:" + echo " -h, --help display this message and exit" + echo " -v, --verbose show verbose output" + echo " -d, --debug show additional debug output" + echo " -w, --wrap column to wrap long output in verbose mode" + echo " -a, --hwKeyA file containing HW key A private key in PEM format" + echo " -b, --hwKeyB file containing HW key B private key in PEM format" + echo " -c, --hwKeyC file containing HW key C private key in PEM format" + echo " -p, --swKeyP file containing SW key P private key in PEM format" + echo " -q, --swKeyQ file containing SW key Q private key in PEM format" + echo " -r, --swKeyR file containing SW key R private key in PEM format" + echo " --archiveOut file or directory to write archive (tarball) of artifacts" + echo " if directory, must end in '/'. for PWD, use '.'" + echo " --archiveIn directory holding signing request archive files" + echo " value, or filename containing value, of the HW Keys hash" + echo "" + exit 1 +} + +die () { + echo "$P: $*" 1>&2 + exit 1 +} + +is_cmd_available () { + command -v "$1" &>/dev/null +} + +# +# Main +# + +# Convert long options to short +for arg in "$@"; do + shift + case "$arg" in + "--help") set -- "$@" "-h" ;; + "--verbose") set -- "$@" "-v" ;; + "--debug") set -- "$@" "-d" ;; + "--wrap") set -- "$@" "-w" ;; + "--hwKeyA") set -- "$@" "-a" ;; + "--hwKeyB") set -- "$@" "-b" ;; + "--hwKeyC") set -- "$@" "-c" ;; + "--swKeyP") set -- "$@" "-p" ;; + "--swKeyQ") set -- "$@" "-q" ;; + "--swKeyR") set -- "$@" "-r" ;; + "--archiveIn") set -- "$@" "-6" ;; + "--archiveOut") set -- "$@" "-7" ;; + *) set -- "$@" "$arg" + esac +done + +# Process command-line arguments +while getopts -- ?hdvw:a:b:c:p:q:r:6:7: opt +do + case "${opt:?}" in + v) SB_VERBOSE="TRUE";; + d) SB_DEBUG="TRUE";; + w) SB_WRAP="$OPTARG";; + a) HW_KEY_A="$OPTARG";; + b) HW_KEY_B="$OPTARG";; + c) HW_KEY_C="$OPTARG";; + p) SW_KEY_P="$OPTARG";; + q) SW_KEY_Q="$OPTARG";; + r) SW_KEY_R="$OPTARG";; + 6) SB_ARCHIVE_IN="$OPTARG";; + 7) SB_ARCHIVE_OUT="$OPTARG";; + h|\?) usage;; + esac +done + +# Check required programs +for p in crtSignedContainer.sh create-container print-container +do + is_cmd_available $p || \ + die "Required command \"$p\" not available or not found in PATH" +done + +# +# Set arguments for (program) execution +# +test "$SB_VERBOSE" && DEBUG_ARGS=" -v" +test "$SB_DEBUG" && DEBUG_ARGS="$DEBUG_ARGS -d" +test "$SB_WRAP" && DEBUG_ARGS="$DEBUG_ARGS -w $SB_WRAP" + +# +# Bulk-sign all requests in the specified directory +# +cd "$SB_ARCHIVE_IN" || die "Cannot cd to $SB_ARCHIVE_IN" + +for f in *.tgz +do + label="$(echo "$f" | cut -d '.' -f1 | cut -d '_' -f3-)" + echo "Handling signing request \"$f\" with label: $label" + crtSignedContainer.sh -m independent \ + -a "$HW_KEY_A" -b "$HW_KEY_B" -c "$HW_KEY_C" \ + -p "$SW_KEY_P" -q "$SW_KEY_Q" -r "$SW_KEY_R" \ + --archiveOut "$SB_ARCHIVE_OUT" --archiveIn "$f" \ + --label "$label" $DEBUG_ARGS +done + +exit $RC |