Improve how secrets and stored and used (#907)
This commit is contained in:
parent
f49d9c35e6
commit
83ba0a3ed5
4 changed files with 22 additions and 6 deletions
14
release/encrypt-secret.sh
Executable file
14
release/encrypt-secret.sh
Executable file
|
@ -0,0 +1,14 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
|
||||
# to the provided path. Yes it's very needy.
|
||||
|
||||
INPUT_FILE=$1
|
||||
OUTPUT_FILE=$2
|
||||
ENCRYPT_KEY=$3
|
||||
|
||||
if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
|
||||
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
|
||||
else
|
||||
echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
|
||||
fi
|
Binary file not shown.
Binary file not shown.
|
@ -2,12 +2,14 @@
|
|||
|
||||
ENCRYPT_KEY=$1
|
||||
|
||||
if [[ -n "$ENCRYPT_KEY" ]]; then
|
||||
# Decrypt Release key
|
||||
openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}"
|
||||
declare -A SECRETS
|
||||
SECRETS[release/keystore.cipher]=keystore.jks
|
||||
SECRETS[release/props.cipher]=keystore.properties
|
||||
|
||||
# Decrypt signing config
|
||||
openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}"
|
||||
if [[ -n "$ENCRYPT_KEY" ]]; then
|
||||
for src in "${!SECRETS[@]}"; do
|
||||
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
|
||||
done
|
||||
else
|
||||
echo "ENCRYPT_KEY is empty"
|
||||
echo "Usage: ./signing-setup.sh <encryption key>"
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue