From 943b9bd091497c2baf39ef391a54b2844817df69 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Sun, 11 Dec 2022 18:03:03 +0530 Subject: [PATCH] chore: re-encrypt secrets with `age` --- .github/workflows/baseline-profile.yml | 4 +++- .github/workflows/ci.yml | 4 +++- .github/workflows/release.yml | 4 +++- scripts/setup-age.sh | 31 +++++++++++++++++++++++++ scripts/signing-setup.sh | 26 ++++++++++++--------- secrets/keystore.cipher | Bin 2464 -> 2643 bytes secrets/props.cipher | Bin 144 -> 315 bytes 7 files changed, 55 insertions(+), 14 deletions(-) create mode 100755 scripts/setup-age.sh diff --git a/.github/workflows/baseline-profile.yml b/.github/workflows/baseline-profile.yml index 00876618..90c906d0 100644 --- a/.github/workflows/baseline-profile.yml +++ b/.github/workflows/baseline-profile.yml @@ -38,7 +38,9 @@ jobs: gradle-home-cache-cleanup: true - name: Decrypt secrets - run: scripts/signing-setup.sh "$ENCRYPT_KEY" + run: | + ./scripts/setup-age.sh + ./scripts/signing-setup.sh "$ENCRYPT_KEY" env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf7cd757..84914a31 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,9 @@ jobs: java-version: 18 - name: Decrypt secrets - run: scripts/signing-setup.sh "$ENCRYPT_KEY" + run: | + ./scripts/setup-age.sh + ./scripts/signing-setup.sh "$ENCRYPT_KEY" env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 74699b66..966582f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,7 +31,9 @@ jobs: cache-read-only: true - name: Decrypt secrets - run: scripts/signing-setup.sh "$ENCRYPT_KEY" + run: | + ./scripts/setup-age.sh + ./scripts/signing-setup.sh "$ENCRYPT_KEY" env: ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} diff --git a/scripts/setup-age.sh b/scripts/setup-age.sh new file mode 100755 index 00000000..e48fb2d8 --- /dev/null +++ b/scripts/setup-age.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +TEMP_DIR="$(mktemp -d)" +BIN_DIR="" +AGE_VERSION="v1.0.0" +AGE_FILE="" + +case "$(uname)" in + Linux) + AGE_FILE="age-${AGE_VERSION}-linux-amd64.tar.gz" + BIN_DIR="${HOME}/.local/bin" + ;; + Darwin) + AGE_FILE="age-${AGE_VERSION}-darwin-amd64.tar.gz" + BIN_DIR="${HOME}/bin" + ;; + *) echo "Unsupported system: $(uname)"; exit 1 ;; +esac + +pushd "${TEMP_DIR}" + +curl -L --silent --show-error --retry 3 --fail -o age.tar.gz "https://github.com/FiloSottile/age/releases/download/v1.0.0/${AGE_FILE:?}" +tar xvf age.tar.gz +rm age/LICENSE +mkdir -p "${BIN_DIR}" +mv -v age/age "${BIN_DIR}" && chmod +x "${BIN_DIR}/age" +mv -v age/age-keygen "${BIN_DIR}" && chmod +x "${BIN_DIR}/age-keygen" + +popd diff --git a/scripts/signing-setup.sh b/scripts/signing-setup.sh index 64de677f..12500b0e 100755 --- a/scripts/signing-setup.sh +++ b/scripts/signing-setup.sh @@ -2,16 +2,20 @@ set -euo pipefail -ENCRYPT_KEY="${1:-}" +ENCRYPT_KEY="${1}" +TEMP_KEY="$(mktemp)" -declare -A SECRETS -SECRETS[secrets/keystore.cipher]=keystore.jks -SECRETS[secrets/props.cipher]=keystore.properties +echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}" -if [[ -n "$ENCRYPT_KEY" ]]; then - for src in "${!SECRETS[@]}"; do - openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}" - done -else - echo "Usage: ./signing-setup.sh " -fi +function decrypt() { + if ! command -v age 1>/dev/null; then + echo "age not installed" + exit 1 + fi + SRC="${1}" + DST="${2}" + age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}" +} + +decrypt secrets/keystore.cipher keystore.jks +decrypt secrets/props.cipher keystore.properties diff --git a/secrets/keystore.cipher b/secrets/keystore.cipher index 25249feb45bcb9debdbba884f0983a3f5b6b41c5..4cc091ccdc32fdb77565c6c549988fababfa9c91 100644 GIT binary patch literal 2643 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{Wc7FiMHaFR?VpaWXSAax1hj z%L<4xD0NPBGRU+DO0J5EDo^#zbIVPy@a1xKbkq*jFEB6jE~)T0DUXcO_Xu)KDt8Pt zDmBk?bV~CwEe|b;NGZyR@Z{3f)m2DID{`_Zv~=<}we(5z3{6e;a51a2a7+$JPBl$5 z*LDpma*YVGFt2j)N#>fzTT-$7W~#o5hPwD!JM%Na{1=+!ENV?QKdqd@xYuXTSvd{0 zxpCR0Z#1mFH@v&V)qeVU7x$d*^N;^IH2qRs&!iUP%@$Zu(tRU1J@d;X`}1Ffw105K zS4}nXt8_kjy)ScFgu?qL`#KkGJ!$=6X8ym%TYpMgdkUtuZV(kdKDEkeqP3udx`nKYn#^R)! zAN(Of%g)R@S>&Mdi*t)YXMoPtoV~N_?s|1BcsrvqTHh=nsaS3O1lcL9yzei22mL+! z?bUtFK9y&ickaKiznjIZG<|OT`*xPg;gefDK2G~~UT5Qjz;^}O>b$S(bQlhN4bS;@ zoMXbCHTjIn2X9EMWL4LW&Uh)^-TyK>=h@F7#_M_y3fIk6YFWsCVcn}~_7}sZlvu7^ zpV9v?KziZrOkry_cinrFFFr~W_h;yL%6EP;w}ijneRb3Ru&je0S$X4Ef3bGD?6oTH zQAynve!Z_%+OcPf_xNT0Dsb$2awAS&=9j>}YQ|%|dpX`+n48lsV|0B5`;zH`i?klT zWy)wiP!}@e#nA;Ztq+S-UkXMuNV5J*Fufx7)_&XKRYjK;pW3!@k@Fde7@1Ydj(fke zu05_Bc=6@0tr2t0wiRv;>~T)oA$`Xre)*?`56$<^Uh(4M>L-cXYl~Nfgs|~hwu%|6(VP*1yMV3!C-@007F7ji!b!DT1yPk3%pu$V zi`JBtEyxMmtahPdWl~6;E}yE&I~7L`qi(&K&-mVnoZAxM^!CNm!+aks|Hz+O+z_5u z6tiekWrBz@|KgUJ+XLrqV(izC-DBq%xkG-{w^oZq;wrh1Mf&D)uI9GycHqAm`{wh7 zzc;4;T|Miw`t_r7$=TTvC1;C#=CC-;bWUXaIDf)T+r)qUx6Zx!$n)d5H{183l3Tm& zy#r2~d{i>C>Av}Q;z_3U&t)eT#uQvA+0kn=qx$!qBV}_d`9gwzUb!{dOU2vxY}_@4 z4~<%mb2WX;SLx-=y>RHvXSVo~_j7FKJ#qI6JbiY?B)%p5HjEBuf~UwxzCGiR8h%*C zUfeqT6Bk!Wp*72EDf2^%d0%bWYhLN(3^_4W;ZC+iFC zC+g0vQ+z*F*u5>NKrnKNXNdI{V|~lFx@|qlr#4;_Dd_!ri?`h)=Gz5(-r3QH`VTT> zUH1CCR#z?XD1N+aTmIE$YP%)psomUmyfozHvZVWuvwJoRDpl6>oVAI+-Rd{H{po~z zCzQ^l*$4Q0%i&~b_7Lc`}=hV8! z?H3Mz{>QRvqN$zVV2C+~uzSIp^k`#HyZ&5Pi0 zu@H0RXVu$NYXs-!*)q)Ey1@Fg=W@<@jz1UHDD4x8$^QFBpEn{{LSbH0Pu9BqBI4Vw zng+C5rG0JAOiWO`@$kdD7p6{&H%@!{%WUFr@3qIdxH*6Cef2@~*UfF87nlmAYE@2dQw5j!9d!#{{$CklCH_6J>d7fjqZK#ey4t-y zEqk~r%Qz!3XKRX3`^@%#GCSlCzHx8ex$Gd9+g!oazRUfwcQ;vQ-g=OHj3X?b&HX@= z_eFCLW^Jw?U!Tr0{N~ClbNTCzOUoudRy^z3>@=-+yHR_~{%QTX$3EPBv)SC~&z~cY zIwaQK-Ic!LyZz=_6Q+f(f+etd4l%8<4v=7os@q6|Er7R zt9ozy{o?&KZrO1*GL!!D&YQZ#jCoJ`+Ddl`hB$luqgH1M&L{s}=K0#}jfA#bz#ZpB zE6(Z7c{uZ%Ms$PI)VX_Zd<{s9$$IaV$8~4-nV%EiSMyE1)A^F6n(x_sy9>>&k)N(R zfA$xso^-D6=^O=R_h*_XeFLqoK5usGSTeUYTZn7t8W*NAFNXCYUJ7q@pO^g<-DkPF zA&IeannAw%Wh>*2zpZ7{7#x1+ZhJYGbIvEIoTATC6mY2dhs?~Cw!3zo zwU3!xHdEmn>tnqYGJiPxXDXgudU3Yo8dXkW1l^_dwQa*jjrlvw`#-Vru!_`vIwaxY;$=P zV%x;LRj}y&GP#~1b9z8%R?7yPm z1Z$@V{Wz3v(0Xz9lwS#Zcdv8zm*?JoYwxw&+Mc4Czq@=U?}&Tf6A)`Jad-2PM@P=x zQN4d8a^1w2k+Cj3-4`Y^vxVhcf3-?m=w6dBhd%rL(jU7v-qBHYN#*{!uz%;btclk| df6br%_p5hX%_FV!m+^Pn*CfVI57l%^1OWWg3qb$? literal 2464 zcmWGe%qdAtiI4YBJ!5=w$&+jBwX^)+#_C;DySL^0l-uX!1rHorIxl~RtZ0tUy1;d( z822vy6Dv8}QpRTP!lK8eA*(ljw|L3({r8IYVi{e(L+!Z7uKaw0guX{&#J$Zg(o;zj;^<-JJaf+|H3uJ3HpZ$DL%{yxk(K4V(c+jq+M;v3oBUo$5vKmELK?x9}=^Ygyg zo!<8Cjpyd-m-E&HzB{3zf2wT}`?p29&lcT_eX{5G$@Rgv%ll^Zr&!N4nImv+t;p4P z@k$Xv>dvL}Pp)z*Z%)iL)1P@k(rw|HUw4=U?5(zhFE{b)e(NuLFyh63Pm7yM zFBV$Hta_rk<6sk~%ijFx=(&q~Ctk4s6m!$<^$xaMizY4qliSGEruzTz<5+RAFm^AK ztn&@(b0!^r5Sr=qgw0!C^yS9`&3wC+CNBT@VZswD@VCwm~Jm2;#L!|4LAibTbLcdd`H%5B&eXtBPo9SG|eEFN~ z^av5Q+=qe@G5jyi)vBEO{{ENY&%(BC-<`!(7Rh;;F5vxfB>1`CMkkrYyTTPA1rDyyZv@i`0e;t21P-& zDc2UBof&7ERvKqH;iZLS`@(O%c`2>uV?Ma-x~98XRXqA@`a$DZu{@iEeKY=r{Y(BA zB;+vb`257$zO{87%m$|4wCl|uJ??QXOtfAR_rR~(_|}g@QF3pkK2ClbSL|=gDHB@S zy;ZrvPIKe3n>*4cYFZVq{v|a1sl&Z9v2I$f$F4>`{%kJDl*6;dQrz4tG;UA-PNkLN zwG5M=rsgJ372bQ?zhPz;i`bHn=|#Cbsc-s!Mw>pk5%hV(3bz)~*wsIl{~uO|KVo)VCDSe|`3sCmNVq5~esg_s|o_kEmj@#VMYs~yC?r|-1W7gSB!ckZ0n z=?LqIp96#M-TL(5!4=+nuRA$w(o?3besQpKLitg9fy{Lgt3N-gvwr{8=IiH&`wb2q zGM~OA+k)Rs_-Wwny&}rb{FMFPJiBl+=WT8AmVfsIB$EAKWLG52&XuiQF=K~bj!OT$ zPS$LeDjwel~P9p5w^ge}?s?!-k6Xb9-M|IPMEgXW4Y}^t;N#<;&jP zw`vcSV+nZhe3De=Ntt~+rrdb^LMy^1DlR^IZJFaGqmK5iT9>WLeC3`jjf{Hu`?kTk z`?LS}7W~fFnKpq_?Cz0?&7uEo52UPlxKzgB5u??r#>>S;4=%oxN#Bxfz2w*Jdm$gx z*n%~VtjSuYE81_@xn-|-Wl5WJ?Twmk-=r@lGBzFjvuEMu9dk;~&1|>(cSd^hzG;1% z;zAE!sCoA0-Pe;{?)xta3US@wKDFNNM(ys{dP}AKonCWXI(s&SPo4eLb)nrt{`;BR z?z-;a3b(sFdH4JDzNtfzn*AV&^=`M`7B$^O z_7{i!Ki3x4H&*7W?wfY;hWL z$K=y(>m+|V){C^fzieUI_h`mxMcv2+lUK+Jp1<-m;$)RXUgoszyY}7c7kpx%JA1PO z`{hQhGfbcUi?ZbYofACGZNe$T2P+b%$@&y=xfQI7-}GqHY?g{+2lY>QR#i$TPSAVV z8hapqmFH=_FKfA6{MD6YAId)wmpXiY>6CRUCB7{lkvx-Um#lAZdFA_E?TK#s->X55 zX8FfsLs~!X724`}JyiI?amPD%J>G5eJ?PW7Wx<8zwq=W}H6KP7OxbkRTlKc7^!ig% zCclv_y=7UfyK-@*>t#!${+IJ|rt?Xh%X#p^^sheS^cSA)uV+ko*W94aQ)B8JnE7z( z78BK;5}})WrDo<|PV^SfeSERZ!u5f4F!xb6LHT$ifA?G&)iu`-`q!9yCg0K7DKhEp zL~h%<%2bgn$GTpJ3WYTB<`+KBO{h-WG;4>*a?X2|7rdBWK3-wLz1rnM@R@}z^O--3 zaBV#p^oCjI>dT~O#-}#~>n6vX&%e*E)4pQ4LD%&sC$DSf2G2|SZ@KTphrrI*2t!Yw z8?roioC1YcsF;MbZrLMqVym;@hOE(D1t28hx4o|DdPcioh$>s{uHVsa83n}wV%S<=V4GalLcgwNND=^AR z3N~~1Gp-7Es?0U;_6~E;3+2+))m2FL*7q`S&GYxSEYJ>0_6;_3i?T4RGB@>#G>I%L zs4y?sJ1jb<^mpXGlT+26*venz(!Tk}Ix4CE5}&+B+-LI( z{8GhpFX>+1#4h#u-C|kM>Ay=p*S}Ob{AR)DHII}Y?Tgk;nRhL~bKl3u9M?0r75HrG zW^=krlrPxwPg1Jm-yD;jMRPJX^D{o0v{XN5Mwmm|?p_7~!JQtFzMgwmo|yTs@JuJq S-7{BL#<)yM{`j%G{R{x#e18l8 literal 144 zcmWGe%qdAtiI0!7Il#3_>A*tAH2urW;hUx3&UPA)-#KQZ^j#wP zbm(Mte=CNE3NyCLOa0_t*7I%RH%->`>$Mk7YN$`+m3FI*STpDGH?