Improve how secrets and stored and used (#907)
This commit is contained in:
Harsh Shandilya
GitHub
parent
f49d9c35e6
commit
83ba0a3ed5
4 changed files with 22 additions and 6 deletions
14
release/encrypt-secret.sh
Executable file
14
release/encrypt-secret.sh
Executable file
|
|
@ -0,0 +1,14 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
|
||||||
|
# to the provided path. Yes it's very needy.
|
||||||
|
|
||||||
|
INPUT_FILE=$1
|
||||||
|
OUTPUT_FILE=$2
|
||||||
|
ENCRYPT_KEY=$3
|
||||||
|
|
||||||
|
if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
|
||||||
|
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
|
||||||
|
else
|
||||||
|
echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
|
||||||
|
fi
|
||||||
Binary file not shown.
Binary file not shown.
|
|
@ -2,12 +2,14 @@
|
||||||
|
|
||||||
ENCRYPT_KEY=$1
|
ENCRYPT_KEY=$1
|
||||||
|
|
||||||
if [[ -n "$ENCRYPT_KEY" ]]; then
|
declare -A SECRETS
|
||||||
# Decrypt Release key
|
SECRETS[release/keystore.cipher]=keystore.jks
|
||||||
openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}"
|
SECRETS[release/props.cipher]=keystore.properties
|
||||||
|
|
||||||
# Decrypt signing config
|
if [[ -n "$ENCRYPT_KEY" ]]; then
|
||||||
openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}"
|
for src in "${!SECRETS[@]}"; do
|
||||||
|
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
|
||||||
|
done
|
||||||
else
|
else
|
||||||
echo "ENCRYPT_KEY is empty"
|
echo "Usage: ./signing-setup.sh <encryption key>"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue