Improve how secrets and stored and used (#907)

4 files changed, 22 insertions, 6 deletions

diff --git a/release/encrypt-secret.sh b/release/encrypt-secret.sh
new file mode 100755
index 00000000..6d71c4bc
--- /dev/null
+++ b/release/encrypt-secret.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
+# to the provided path. Yes it's very needy.
+
+INPUT_FILE=$1
+OUTPUT_FILE=$2
+ENCRYPT_KEY=$3
+
+if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
+    openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
+else
+    echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
+fi
diff --git a/release/keystore.cipher b/release/keystore.cipher
index 269ed5ef..900e3685 100644
--- a/release/keystore.cipher
+++ b/release/keystore.cipher
diff --git a/release/props.cipher b/release/props.cipher
index 986eab14..4ea92b1b 100644
--- a/release/props.cipher
+++ b/release/props.cipher
diff --git a/release/signing-setup.sh b/release/signing-setup.sh
index b60902ee..896a78b0 100755
--- a/release/signing-setup.sh
+++ b/release/signing-setup.sh
@@ -2,12 +2,14 @@
 
 ENCRYPT_KEY=$1
 
-if [[ -n "$ENCRYPT_KEY" ]]; then
-    # Decrypt Release key
-    openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}"
+declare -A SECRETS
+SECRETS[release/keystore.cipher]=keystore.jks
+SECRETS[release/props.cipher]=keystore.properties
 
-    # Decrypt signing config
-    openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}"
+if [[ -n "$ENCRYPT_KEY" ]]; then
+    for src in "${!SECRETS[@]}"; do
+      openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
+    done
 else
-    echo "ENCRYPT_KEY is empty"
+    echo "Usage: ./signing-setup.sh <encryption key>"
 fi