Improve how secrets and stored and used (#907)

This commit is contained in:
Harsh Shandilya 2020-07-01 14:29:30 +05:30 committed by GitHub
parent f49d9c35e6
commit 83ba0a3ed5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 22 additions and 6 deletions

14
release/encrypt-secret.sh Executable file
View file

@ -0,0 +1,14 @@
#!/usr/bin/env bash
# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
# to the provided path. Yes it's very needy.
INPUT_FILE=$1
OUTPUT_FILE=$2
ENCRYPT_KEY=$3
if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
else
echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
fi

Binary file not shown.

Binary file not shown.

View file

@ -2,12 +2,14 @@
ENCRYPT_KEY=$1
if [[ -n "$ENCRYPT_KEY" ]]; then
# Decrypt Release key
openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}"
declare -A SECRETS
SECRETS[release/keystore.cipher]=keystore.jks
SECRETS[release/props.cipher]=keystore.properties
# Decrypt signing config
openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}"
if [[ -n "$ENCRYPT_KEY" ]]; then
for src in "${!SECRETS[@]}"; do
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
done
else
echo "ENCRYPT_KEY is empty"
echo "Usage: ./signing-setup.sh <encryption key>"
fi