chore: re-encrypt secrets with age

scripts/setup-age.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+TEMP_DIR="$(mktemp -d)"
+BIN_DIR=""
+AGE_VERSION="v1.0.0"
+AGE_FILE=""
+
+case "$(uname)" in
+  Linux)
+    AGE_FILE="age-${AGE_VERSION}-linux-amd64.tar.gz"
+    BIN_DIR="${HOME}/.local/bin"
+    ;;
+  Darwin)
+    AGE_FILE="age-${AGE_VERSION}-darwin-amd64.tar.gz"
+    BIN_DIR="${HOME}/bin"
+    ;;
+  *) echo "Unsupported system: $(uname)"; exit 1 ;;
+esac
+
+pushd "${TEMP_DIR}"
+
+curl -L --silent --show-error --retry 3 --fail -o age.tar.gz "https://github.com/FiloSottile/age/releases/download/v1.0.0/${AGE_FILE:?}"
+tar xvf age.tar.gz
+rm age/LICENSE
+mkdir -p "${BIN_DIR}"
+mv -v age/age "${BIN_DIR}" && chmod +x "${BIN_DIR}/age"
+mv -v age/age-keygen "${BIN_DIR}" && chmod +x "${BIN_DIR}/age-keygen"
+
+popd

scripts/signing-setup.sh

@@ -2,16 +2,20 @@
 
 set -euo pipefail
 
-ENCRYPT_KEY="${1:-}"
+ENCRYPT_KEY="${1}"
+TEMP_KEY="$(mktemp)"
 
-declare -A SECRETS
-SECRETS[secrets/keystore.cipher]=keystore.jks
-SECRETS[secrets/props.cipher]=keystore.properties
+echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
 
-if [[ -n "$ENCRYPT_KEY" ]]; then
-    for src in "${!SECRETS[@]}"; do
-      openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
-    done
-else
-    echo "Usage: ./signing-setup.sh <encryption key>"
-fi
+function decrypt() {
+  if ! command -v age 1>/dev/null; then
+    echo "age not installed"
+    exit 1
+  fi
+  SRC="${1}"
+  DST="${2}"
+  age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
+}
+
+decrypt secrets/keystore.cipher keystore.jks
+decrypt secrets/props.cipher keystore.properties