From 8b071e5a3cb13208b0fb6f2cb876301ab758f66c Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Wed, 30 May 2018 17:12:19 +0200 Subject: [PATCH 1/3] Add script to sign arbitrary files using the key stored in Secrets Manager --- sign.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 sign.sh diff --git a/sign.sh b/sign.sh new file mode 100755 index 0000000000000..8b03ed7f1b92e --- /dev/null +++ b/sign.sh @@ -0,0 +1,32 @@ +#!/bin/bash +set -euo pipefail + +if [[ "${1:-}" == "" ]]; then + echo "Usage: sign.sh FILE" >&2 + exit 1 +fi + + +tmpdir=$(mktemp -d) +trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT + +SECRET=CDK/SigningKey + +# Use secrets manager to obtain the key and passphrase into a JSON file +echo "Retrieving key..." >&2 +aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt +passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") + +echo "Importing key..." >&2 +gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])") + +echo "Signing $1..." >&2 +echo $passphrase | gpg \ + --homedir $tmpdir \ + --local-user aws-cdk@amazon.com \ + --batch --yes \ + --passphrase-fd 0 \ + --output $1.sig \ + --detach-sign $1 + +echo "Done!" >&2 From be15422d8ed1d48483619739cfd8cf0db58c0a1a Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Wed, 30 May 2018 17:43:58 +0200 Subject: [PATCH 2/3] Update to use new secret naming scheme so we can have multiple keys --- sign.sh | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/sign.sh b/sign.sh index 8b03ed7f1b92e..f7498117650a4 100755 --- a/sign.sh +++ b/sign.sh @@ -1,8 +1,10 @@ #!/bin/bash set -euo pipefail -if [[ "${1:-}" == "" ]]; then - echo "Usage: sign.sh FILE" >&2 +if [[ "${2:-}" == "" ]]; then + echo "Usage: sign.sh ARTIFACTTYPE FILE [FILE...]" >&2 + echo "">&2 + echo "Creates detached signature as FILE.sig." >&2 exit 1 fi @@ -10,23 +12,26 @@ fi tmpdir=$(mktemp -d) trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT -SECRET=CDK/SigningKey +SECRET=CDK/$1/SigningKey # Use secrets manager to obtain the key and passphrase into a JSON file -echo "Retrieving key..." >&2 +echo "Retrieving key $SECRET..." >&2 aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") echo "Importing key..." >&2 gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])") -echo "Signing $1..." >&2 -echo $passphrase | gpg \ - --homedir $tmpdir \ - --local-user aws-cdk@amazon.com \ - --batch --yes \ - --passphrase-fd 0 \ - --output $1.sig \ - --detach-sign $1 +while [[ "${2:-}" != "" ]]; do + echo "Signing $2..." >&2 + echo $passphrase | gpg \ + --homedir $tmpdir \ + --local-user aws-cdk@amazon.com \ + --batch --yes \ + --passphrase-fd 0 \ + --output $2.sig \ + --detach-sign $2 + shift +done echo "Done!" >&2 From c79b719f99fb2583e337a4f1af3dc913d5f2949c Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 31 May 2018 14:56:19 +0200 Subject: [PATCH 3/3] Remove region, use NodeJS instead of Python to pick apart the JSON --- sign.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/sign.sh b/sign.sh index f7498117650a4..d409663abe09f 100755 --- a/sign.sh +++ b/sign.sh @@ -8,7 +8,6 @@ if [[ "${2:-}" == "" ]]; then exit 1 fi - tmpdir=$(mktemp -d) trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT @@ -16,11 +15,16 @@ SECRET=CDK/$1/SigningKey # Use secrets manager to obtain the key and passphrase into a JSON file echo "Retrieving key $SECRET..." >&2 -aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt -passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])") +aws secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt + +value-from-secret() { + node -e "console.log(JSON.parse(require('fs').readFileSync('$tmpdir/secret.txt', { encoding: 'utf-8' })).$1)" +} + +passphrase=$(value-from-secret Passphrase) echo "Importing key..." >&2 -gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])") +gpg --homedir $tmpdir --import <(value-from-secret PrivateKey) while [[ "${2:-}" != "" ]]; do echo "Signing $2..." >&2