diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8588f60d..8a8018ea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,9 +60,9 @@ jobs: - name: Decrypt secrets run: | ./scripts/setup-age.sh - ./scripts/signing-setup.sh "$ENCRYPT_KEY" + ./scripts/signing-setup.sh "$AGE_SECRET_KEY" env: - ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} + AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }} - name: Build release app uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0 diff --git a/scripts/encrypt-secret.sh b/scripts/encrypt-secret.sh index abbcf559..80f93d0a 100755 --- a/scripts/encrypt-secret.sh +++ b/scripts/encrypt-secret.sh @@ -2,15 +2,17 @@ set -euo pipefail -# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result -# to the provided path. Yes it's very needy. - INPUT_FILE="${1:-}" OUTPUT_FILE="${2:-}" -ENCRYPT_KEY="${3:-}" +AGE_KEY="${3:-}" -if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then - openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}" -else - echo "Usage: ./encrypt-secret.sh " +if ! command -v age 1>/dev/null; then + echo "age not installed" + exit 1 +fi + +if [[ -n "$AGE_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then + age --encrypt -r "$(echo "${AGE_KEY}" | age-keygen -y)" -o "${OUTPUT_FILE}" < "${INPUT_FILE}" +else + echo "Usage: ./encrypt-secret.sh " fi diff --git a/scripts/signing-setup.sh b/scripts/signing-setup.sh index 2d5c5d88..4ba5d5d2 100755 --- a/scripts/signing-setup.sh +++ b/scripts/signing-setup.sh @@ -3,11 +3,11 @@ set -euo pipefail ENCRYPT_KEY="${1}" -TEMP_KEY="$(mktemp)" +KEY_FILE="$(mktemp)" -trap "rm -rf ${TEMP_KEY} 2>/dev/null" INT TERM EXIT +trap "rm -rf ${KEY_FILE} 2>/dev/null" INT TERM EXIT -echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}" +echo "${ENCRYPT_KEY:?}" > "${KEY_FILE}" function decrypt() { if ! command -v age 1>/dev/null; then @@ -16,8 +16,8 @@ function decrypt() { fi SRC="${1}" DST="${2}" - age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}" + age --decrypt -i "${KEY_FILE}" -o "${DST:?}" "${SRC:?}" } -decrypt secrets/keystore.cipher keystore.jks -decrypt secrets/props.cipher keystore.properties +decrypt secrets/keystore.jks.age keystore.jks +decrypt secrets/keystore.properties.age keystore.properties diff --git a/secrets/keystore.cipher b/secrets/keystore.cipher deleted file mode 100644 index 4cc091cc..00000000 Binary files a/secrets/keystore.cipher and /dev/null differ diff --git a/secrets/keystore.jks.age b/secrets/keystore.jks.age new file mode 100644 index 00000000..605a2181 Binary files /dev/null and b/secrets/keystore.jks.age differ diff --git a/secrets/keystore.properties.age b/secrets/keystore.properties.age new file mode 100644 index 00000000..c6589c25 Binary files /dev/null and b/secrets/keystore.properties.age differ diff --git a/secrets/props.cipher b/secrets/props.cipher deleted file mode 100644 index a76abef6..00000000 Binary files a/secrets/props.cipher and /dev/null differ