From 83ba0a3ed56661c17b06b11fcb91c72b94f5974b Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 1 Jul 2020 14:29:30 +0530 Subject: [PATCH] Improve how secrets and stored and used (#907) --- release/encrypt-secret.sh | 14 ++++++++++++++ release/keystore.cipher | Bin 4336 -> 4336 bytes release/props.cipher | Bin 144 -> 144 bytes release/signing-setup.sh | 14 ++++++++------ 4 files changed, 22 insertions(+), 6 deletions(-) create mode 100755 release/encrypt-secret.sh diff --git a/release/encrypt-secret.sh b/release/encrypt-secret.sh new file mode 100755 index 00000000..6d71c4bc --- /dev/null +++ b/release/encrypt-secret.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result +# to the provided path. Yes it's very needy. + +INPUT_FILE=$1 +OUTPUT_FILE=$2 +ENCRYPT_KEY=$3 + +if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then + openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}" +else + echo "Usage: ./encrypt-secret.sh " +fi diff --git a/release/keystore.cipher b/release/keystore.cipher index 269ed5efe2445d1ca4c40a9c8d6b33ae2c6820ea..900e3685bb9e7eca38511bc1f54e4e4e155e0270 100644 GIT binary patch literal 4336 zcmV&2#H=G>>fM8i4uR_S;0qJnYO7d6A_AraIz>kyQGcGZVm2KYZHR( zK0OU^<tPh^0b4&-CP7D$5UF>bfgw!pS@>JobhC4W}cSl2u$|Ha42rm=b zkoqO%0;*QD6$Q6oDC5r9=mZgs6vEPvruoCqC)TLfQ9RQA;P*N4YA z`GS6OW*4hQsZsl>sS+Ox(~>FKa}=afF^D^r(PK1v4ucX%s7@RKTs6+ZEv`#;7eKd z&9nH#SQ8V7Fu8bbZ626KT=0cN+C2BrE@LwMB_R@EY`eMiF)ruY=~|0_$*!55w$vyF zB!kWj0of|AC~@`0tJ*}0NMjv_2;$mEe54}~yQtqfGfqDLvo5Z%uQf=7frz|q(!AL~ z`2yo8H6B(^Z_7u=$2=w;X#{fbvw;>a7XXq0qf;w3n(Z($zu&n&Qd}{4QGq!Tcg8qj zmRR|_*MO}y&7yw=>(zu>p-npx+LFFUXN7}lgdEG0O~*aUB}Q!s5@%!c)!nVZPQIB5 z7T}FkRJB?muf;5lTJAOQ>C;6XUa#Dz-4b`41C#?DM_8g2#Xg;hI)L0;DWPlXoGMNS z4ljd%L<`TO!?ERsf{8HlAJ;5%6d_}&Z7EJS(o1ei!*oV!35Uw6IICGv*d&#+VPFld z#_ywzYfMunZLWhas#a0OPf5V9c2h0^5Dg3Ne0%!gSK+=9SzvhoqLfbU6s>i=g?l5q z!jwWq)oI%wo5!@S9Euei(hRxh!r4WKg8=1y~_WShj__ZzP7>W2{c#iQu&o9KwHzwsGwji+8X1 zbUSl`L%rjbQDSnHUJ^e8*25u431a=9vZ(>KBw^+lp~6<#5zi%Ma-7_=6=*HMw3!?_ zjNuBE&`}cj7%;<^w){z(H=RCG;~AK($lKN{?-TWOm@|!7hjJbu#_-0UL@9HouufzX zzu~VdWfk*dF7F6wPd!Z%-RBuZc%pirG4>O~iQ>%-H<|?N3~@l6w6ji81#|5w9wwt` zT5XrkwMM-IC1f?y;_GlZk(VvoE03|B}nC0UG966;)O|0 znIn{112*UydLF+8-<2D)vw?k0u=$$-DcHd}lQW!1e$W!J&rj7?W`=pRqz0tDaf|uU zgGi1D=Pk)Dw{nyY_eN6pvS4@XNZAjOkq0~mymyNPT4r~0o`T>&c8GV+d(0|i4BHkVohouInOP~>mY=nfc1%p!9IXRp^d%x6?TS6mk9?c;e zLtm9pYFdq}PNgvw0myk}#xM(R$W!Km#SmC}Rgtz!=aLRT5!~8&izLYhpD*1gEn&Jj zlOjnB#eQFAmT>(B0=n8q7f2Pe3Hz0w}k{&vf| z0WQ_z?BcZzh1OlHpXW<=xe=vqxb2Qb4|n}|?DnAl?WKwNyf+Od(H-t(GIxH3ZM`F! zsQQL^GPP_GG z7|V3}T{x22=uutTC(|q&k~+mP3N3?O4GC9j z@enn%%zOvlxlSk6*dq>Qaml72;itiNE?NQtglk^@l05|Ed5NqT`Xr?vyHo@ZiMdR;*!pH z7%PRfsuWJL4T*av-?HazXNI5Omfa)}2uc6fe4<7L?QQ`6KB|2sGAu~2_7ovcEmNoY zl#+ey*j!@q=W1noFVjVlVK4GOVnGFn4nWLE7Q;r}irC|iCs^RCM-I~09w0&u^a@b% zU-H_;5?;jaX;z5rXTA+FsRzh!p>v20aI*`DMG1LhlxBB@p=c)0R}$lj70l0HA2_sO znG*x_?`;kgG8*oZMmMeKb792Fhi0xGv~-Y04|Ufx&S@TYU6iF&&@wVD=culNnRwSLnm9l7_-m(>M>dJsk8R3`~OguJiw4S?_YHLziUp z0iMr)4KfgZCVC&Z7oDYr{oW<)*R0!VwIm+*Z6*@%{nQb1mG@-4Ojv1I2zhJALJ@Y^ z8Sw>FA`i$7N`m<>*`mwYqy!dhy|$)j!90{`S92CLYeW_bIc#BdWlT!-#hQ}wxrZ76*OOC#y6ZS9B>U>naON*zjz6MU zKAqk65LMF4G_;Y6xF|VsGf168fpn0Gh*Cvx>$&kv?5LYcrV{4lUiy0;Q2o3v4LY1^ z9K5AMy|14BO6R=l$QLLm`pceUsWnJoU2VQYlbjTJ6>HMVx;q{4etva5Ex+JnDc5qI z`1$+#Ib}N*GfmKRAEj9++>OQLyCn<`o$SR`tRRKikS-Aq9)V}`CJUvqfMw{4&wYD0 zzUo+!Hbifgv7CL-2~*6imFB>lysP;86tsRf*~Hys-n#DHseC-@TmHiOiNmV)0Vz!M zPQFeoK|}zz5HXpaj>$|%v?6fC9clN~F2@nJ*O)ec{(+a>Oar% ztr2o2y!~*1M}VW7-;Y4Oa6L`ni*`PVM!$~iDz~G+q&A`P-Ie7Ox*S~= z8PETHLDT{8w%T2?W`5E~aYJjk)G>n(8AoyEcxu}!j-Iw`YORPf@gw*aeJu%cns3{v7;e6A?aOi{j znkSSYJ+>UqI}F$pPAjD?L6KATnEDxsA1Cp9Btqhr!_R4 z=4bUrdBDkd6l)s4Se+CDD_XfQX&TW~|lzPM3PDZ3o4SN0q=&gvG zwM6%Xt_j|2SGY)4G~PzS^t$0CatM33Q_8>}t7nwarBSo@wE;Elo#uNrhYb9vxxAtT zR;EWjmfryX)od(gfs^)T(5oJR+Pz&}pwZTM*4^WTBN1vmENp`HIJz@9k}<_{K>t^_ z^C+Kuvvm6s{uJ&492+moNpTWy|kw17gRd>qTAW6`4G2VOS0?%*g` zPfHId8Rm1|`5TWQS#YP@fzDhrG7=PYPr!a9clna!4z~S#k=^}^TJO%f%5Y{y<8|7r-%(Fd^uZm5RC~BQ`kgnR@M-A~)lnE3WW+3W;a4Rs z;X1VlLoOnT7Z@H98k5KACg{F#hkS##_cAO(C^amEP6=$%{beV6O4HpTnPp8W`)f-E zIyx~ujZ9NRlV&Fxr2#SjqM^y+5>{y@E&0CkfJ;&DDe>$Sno{H?Ae04ohzWM_UE3eWSD0CMRa#Fj5i# literal 4336 zcmVOMOiL?K$e5#sp|P}Wpau(yw&F?_fnPD`{0 zL4>DOePU9B@6;q-t#`;7NQ1w7obzWgDr{4SeF0}ySB^T~B&<=pkMn76GMluQSA;`( zow6^*0G5MZ8S!t|3E}XSxqV-mI9SEdz5midR4*%_iL<0?SVom0$^zL*SgWodr&v#^ zRj(cu*@9pw5T18|ou*tT>aa=n*GsM8#J8$!-So;?M;pYT8Jl5p|AUOx_3DprR*?=WZHe`}4LSsAME_Doe6X zbLla7))R648wRESlrR(EHBI9krGseSjYxS5jVo2=L-H z^CL=PeZGEebZyGGm_iX@Wp&$4%r$ zW4T9te@q`8!f2I3&?=a`JqQQ-^#Jxfcs-ei)XPdi%V~WGB9gnZ)D5?!T~h@bjMvG6FwI1z z+r+anU|NX_ezSSUMmwn&6H-BK0>|D!J`j%;H&BxwQX#c*fY>Pa4g(17sSz4u(pg`6 zd}cC>!x%`v*A9~GrLKc9CgdDl!ed3aGcO-SS zJsV&!FUR5fA&wuR##pMLgflbB?}Ko4-_j^YR2gJm#@~~Ni(Z@{jOPLTBGZ|j{gnQF zf(4y1&_~L&@(pdIgzPPi2Q8wML6ybt)!8n{mB>WBu(mupTit|V%f3z#4l~MIbtJe9 z*x%nQ(FlTn;~BXx*>Zv31TcLrl*Bdn;Q0B-#Dl6l7IM}tD(x%8la_yGV^uKY0V+Z+ zI-=QCW@C(G)5s<1`h93QS}Y1{V5CRH^q>vCyR6<_bW#b1v3%Y@?LufWk$CbGen`N9 z6Sdb57DFC|_>4p$iseR!h~?UV9JGpa!|?d~f0pvpQ;HC@P0XPqI^yJ!fp&Iw=pz|> z%Br!nzXPFjSgM&!4ePHhHSZ7LUlZI=)Ej4~I>ltx#0RcNbqta94Tx#l?h&>9G>lE# z+@W(4Neboa@A>9WRrJ1%TyrB%yTGTr=e~*o+V`PCBb{2=KcE1E$1a0{W(Y6sV}d=e zxz7dvE&8Gsc1O$Sy^l;8r0YXnltpPRT6*MGt!8>665wDq|2*qR87s*2Uzg^iSssI{X$b;`v)J z8L%w|YTtK(Z?(ras}#BO@2fqITFt33a&=ybsbi( z{c377y_1|fAu=n4z*87_ZE?guwLgflp)nbQ% z^+NSwHxTdV{d4_UfxLhA=#M?Ac(?RGfbT43dTARG*Yc{i-NtbMVcT$R_RRZl$%}8~ zTq{wn5@ZEO1){@w+6$j&Q|xlbAw*MpNe?twOy2NdU-UAnQ+%_kv|O|7L%47r&4VL! zHU?*r6rKVS$E$L;MLcXtMQ|6`V(qC*Qh8D}~$-Xl+w60fr zIU-$yioW7fX{0LRM2Pzku(NC@D<=>)KPjk9xG?O|^DMYrbE7FU6J83-uWy-7kT}>0 zO#E%FJ9rbYgb#V5{8yM4D>e-kQpN`3#xD{evf5B}R%OV@wQS)j9VmGmdxyk}f`aNi zat%O3T;a_I6-|31Ut;ygEHm-3mtk?w+=|soRHWTH z{)r|75u=VWXkdaGz9X&(H?A4g(4y7-3}jXo;G(a)^{fh4`ybOz-?LB{R|Xvk?7qp~ zMhTc+n%U;aSi}ft7o94Lm|#%0A-+YBgaB+t&st|9#?@f*YKd%C50J(s?UAt9s-LHX zv%9+xa#%@2f^Wfi`oE?h5rYQH2wW=h=b-UFK8=T!_9zZ_s-l>1Jo2Z(O@(RNzW!_$ z-rl`)K*}#_`>xU}Yqx3Y39uI4d-a+1K|tw;ZU$|BD3hTY#RaK8{5#dtalA~rNdd7& zLZCuHpdD)5_ORe{l+)LInBOZ`{h`Ht7e@9GUl^q0RHdR4XaE<;`;^KeUem*j7FLTY#OKh#OZh z&Oof_*IghlURB-7;N7-#6LG?3;t*G!LbOyd@U;nDar_oI!P^4|sM%&b`j}uZ5Y`Ni zl+0YxK0Y~#s6@_z-*Ee(>t|B9>a=L1^Ol>>(AR3ce7bb~zpl`-$V*^=qwXkwq=mk^ z9BzlXS(9S>Igw5Y3G*t8XyFjCd_kI;o8r*fdT~msqmtx?rN~2zxH$smwk56G188Y1 zPdz7v9TiXceA~pEDw5kH02OlNDA?$_bdC|rBUns0$m^s#yLU3KX-9eK?f8PkPxV^5 zF!gi`9< z0pjTR_!&rK;`hD~sr?k5{Y2#htKx@BahpLRA(fX_SiAHD%|QpCfMLW2rA1nhp`~VY znKgWreE>U(z9{B6>F9>WSS|#4)M{&A8y`}$|8-~G0o>9(*!aH4D8v!*Q)pz!B9lZ4 z=+H{==@ohaa?DrJv6c~sJo4MV8EPsj%vUwtOUsRF0LP#$ia2Uf4ri3NmYNC>Vr{Ug&o76{AT9T_5~$BBbjauf zB+fwH=CU9K6l)r~MqTududl?Ir(?+Bg*<(FfU&``!Iexp9Hywh03YE0r@z+o-5OX_ zoQZEQ^_a%8StQm%y3OCVKaV6&9e7$_Y}>2+(XyFdY=YNouxSM$m?{zxzY|dyhuUZD zNWf4Ta;md<{E(vhbbDchyWW(k!7)4UG2&(iyY6v=OF8i;5lz*kVLLZ5b6AHR6GOpn z%#O@n@1h3`4es2etNghLe!;_%gGgRN)Fs_DMfPgNT6aC4wd9`udM+Ki8!dpK%92Vj zj)T|}SZAk_|5}@ClVQk%gWHKQRm=)>lwU{TWV?jn(AuaJmdUh4eSquCwZD`HRwYN& zr)!97T?u3A_ioyYKJ9_=itaQ_S(2PBKRkuSq?-CI!#>SrU2_?y+0BI|LY$ zDEiMG$lGw6WwAOAj*}#-^~l}(=VTI(%^i=n@Qc!s#L)eB!t+v^ABfx|GKfhn&YOrJ zDh+zdf61Og=JuflC;~%&Hj7T6mZDk;|I4|V}+9o<=zlk znb_5$s3XAoC0W}JV3}$u3iqxx(NC-1PD6~k>)GOT&>>c6s&-$qx5qhXPVNF6(wm64 z;JOF4WzC!qhr(k!PQ}~Vn+9_cO%J#!Ccp`-5@2iJUe0a~(B=0hPTZam@0IQ>ZmrNn z^1qdtUDESi90V6v?y1$q{zcaV-(nz_5gd2>24Z!_jUU&)QIsLqI;M*1y1BSh4n@k+tM*?&%IC@083^s z^aNw##{?eWSB>4*NEX~OyqiyYEwHq)>_p7i{MY-}UvCRxF%)57M93Ly(}5ur4XOl6 z2LE)!U4nYtO!qxP>0NVUmP*{Ivl0$t1ORbKdjNb?us}WxZDI{tJNwt6s-INBk=hdz ztcY{hSMmc!ThJ>9{l@x9$JPXEEfr2rq-KGmm3|hlSH*Q+&j!)ul2D`#kYg~Jt1f;yiVXiAwS+n|f7 eLwW{NN9Mm)jEb&X&e@h&Vz0r)TFt;A9L3_&jDXw# diff --git a/release/props.cipher b/release/props.cipher index 986eab147912976b791827e4b069231e92e73625..4ea92b1b0d738a6b885576ba543c6c2bedba67d2 100644 GIT binary patch literal 144 zcmV;B0B`?OVQh3|WM5y9g%Y(D?^*4^IH=mQ#=yzG^#ecV4Iwm^e_~X0Sm`(iNe)-$ z+;ro70~^xh##YdI;}U)+y*#JgD4=)aiYifeVh{971cxYze;gP0z}?d6HM3_1rh!r^ ym7Z|H0LpqO3#w|9p$9BdFME~k(`bcuRK|PAY|YK0t?ZO3=Amnj%Fn0=O^2D(Do1Jn literal 144 zcmV;B0B`?OVQh3|WM5z6g7-AKu+xB;eoxeDfC`b8awasJS>GO`y49U^i$s1>E2YtM zvnTWopIgB9b%)ch+84V@mJX)rpIg}+>x{oXi{+~1V|#swn;I}%u~UA#IVxT(zs&@;A6d8=1esJ diff --git a/release/signing-setup.sh b/release/signing-setup.sh index b60902ee..896a78b0 100755 --- a/release/signing-setup.sh +++ b/release/signing-setup.sh @@ -2,12 +2,14 @@ ENCRYPT_KEY=$1 -if [[ -n "$ENCRYPT_KEY" ]]; then - # Decrypt Release key - openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}" +declare -A SECRETS +SECRETS[release/keystore.cipher]=keystore.jks +SECRETS[release/props.cipher]=keystore.properties - # Decrypt signing config - openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}" +if [[ -n "$ENCRYPT_KEY" ]]; then + for src in "${!SECRETS[@]}"; do + openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}" + done else - echo "ENCRYPT_KEY is empty" + echo "Usage: ./signing-setup.sh " fi