mirror of
https://git.quad4.io/RNS-Things/MeshChatX.git
synced 2026-05-10 22:46:54 +00:00
Ivan
54 lines
1.7 KiB
Bash
Executable File
54 lines
1.7 KiB
Bash
Executable File
#!/bin/sh
|
|
# Create SLSA v1 cosign bundle attestations next to each release binary under DIR.
|
|
# Requires: cosign on PATH; COSIGN_KEY_PATH to cosign private key PEM; COSIGN_PASSWORD
|
|
# if the key is encrypted. Run from repository root so scripts/ci/slsa-predicate.py resolves.
|
|
# Cosign v3+: uses cosign-signing-config-no-rekor.json (no Rekor upload); verify with
|
|
# cosign verify-blob-attestation --insecure-ignore-tlog=true when using the repo public key.
|
|
#
|
|
# Usage: attest-release-assets.sh <directory>
|
|
set -eu
|
|
|
|
DIR="${1:?directory}"
|
|
KEY="${COSIGN_KEY_PATH:?set COSIGN_KEY_PATH}"
|
|
SCI_DIR="$(CDPATH= cd -- "$(dirname "$0")" && pwd)"
|
|
SIGNCFG="${SCI_DIR}/cosign-signing-config-no-rekor.json"
|
|
|
|
if [ ! -f "$KEY" ]; then
|
|
echo "attest-release-assets.sh: missing key file $KEY" >&2
|
|
exit 1
|
|
fi
|
|
if [ ! -f "$SIGNCFG" ]; then
|
|
echo "attest-release-assets.sh: missing signing config $SIGNCFG" >&2
|
|
exit 1
|
|
fi
|
|
|
|
PRED="$(mktemp "${TMPDIR:-/tmp}/slsa-pred.XXXXXX")"
|
|
trap 'rm -f "$PRED"' EXIT INT
|
|
|
|
python3 scripts/ci/slsa-predicate.py > "$PRED"
|
|
|
|
find "$DIR" -type f ! -name '*.cosign.bundle' ! -name '*.sha256' ! -name '*.intoto.jsonl' \
|
|
! -name 'builder-debug.yml' \
|
|
! -path '*/win-unpacked/*' \
|
|
! -path '*/linux-unpacked/*' \
|
|
! -path '*/mac-universal/*' \
|
|
! -path '*/mac-arm64/*' \
|
|
! -path '*/mac-x64/*' \
|
|
! -path '*/mac/*.app/*' \
|
|
! -path '*/mac/*.app' \
|
|
| while IFS= read -r f; do
|
|
case "$f" in
|
|
*/.git/*) continue ;;
|
|
esac
|
|
echo "attest: $f"
|
|
cosign attest-blob --yes \
|
|
--key "$KEY" \
|
|
--signing-config "$SIGNCFG" \
|
|
--predicate "$PRED" \
|
|
--type slsaprovenance1 \
|
|
--bundle "${f}.cosign.bundle" \
|
|
"$f" >/dev/null
|
|
done
|
|
|
|
echo "attest-release-assets.sh: done"
|