From 83ba0a3ed56661c17b06b11fcb91c72b94f5974b Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Wed, 1 Jul 2020 14:29:30 +0530 Subject: Improve how secrets and stored and used (#907) --- release/encrypt-secret.sh | 14 ++++++++++++++ release/keystore.cipher | Bin 4336 -> 4336 bytes release/props.cipher | Bin 144 -> 144 bytes release/signing-setup.sh | 14 ++++++++------ 4 files changed, 22 insertions(+), 6 deletions(-) create mode 100755 release/encrypt-secret.sh (limited to 'release') diff --git a/release/encrypt-secret.sh b/release/encrypt-secret.sh new file mode 100755 index 00000000..6d71c4bc --- /dev/null +++ b/release/encrypt-secret.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result +# to the provided path. Yes it's very needy. + +INPUT_FILE=$1 +OUTPUT_FILE=$2 +ENCRYPT_KEY=$3 + +if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then + openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}" +else + echo "Usage: ./encrypt-secret.sh " +fi diff --git a/release/keystore.cipher b/release/keystore.cipher index 269ed5ef..900e3685 100644 Binary files a/release/keystore.cipher and b/release/keystore.cipher differ diff --git a/release/props.cipher b/release/props.cipher index 986eab14..4ea92b1b 100644 Binary files a/release/props.cipher and b/release/props.cipher differ diff --git a/release/signing-setup.sh b/release/signing-setup.sh index b60902ee..896a78b0 100755 --- a/release/signing-setup.sh +++ b/release/signing-setup.sh @@ -2,12 +2,14 @@ ENCRYPT_KEY=$1 -if [[ -n "$ENCRYPT_KEY" ]]; then - # Decrypt Release key - openssl enc -aes-256-cbc -md sha256 -d -in release/keystore.cipher -out keystore.jks -k "${ENCRYPT_KEY}" +declare -A SECRETS +SECRETS[release/keystore.cipher]=keystore.jks +SECRETS[release/props.cipher]=keystore.properties - # Decrypt signing config - openssl enc -aes-256-cbc -md sha256 -d -in release/props.cipher -out keystore.properties -k "${ENCRYPT_KEY}" +if [[ -n "$ENCRYPT_KEY" ]]; then + for src in "${!SECRETS[@]}"; do + openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}" + done else - echo "ENCRYPT_KEY is empty" + echo "Usage: ./signing-setup.sh " fi -- cgit v1.2.3