From ca6b941cbb2e6bc1ee5dcd1f816f28215b1ef47e Mon Sep 17 00:00:00 2001
From: Harsh Shandilya <me@msfjarvis.dev>
Date: Wed, 26 Jul 2023 14:08:31 +0530
Subject: [PATCH] fix(release): update secrets handling scripts

---
 .github/workflows/ci.yml        |   4 ++--
 scripts/encrypt-secret.sh       |  18 ++++++++++--------
 scripts/signing-setup.sh        |  12 ++++++------
 secrets/keystore.cipher         | Bin 2643 -> 0 bytes
 secrets/keystore.jks.age        | Bin 0 -> 2643 bytes
 secrets/keystore.properties.age | Bin 0 -> 315 bytes
 secrets/props.cipher            | Bin 315 -> 0 bytes
 7 files changed, 18 insertions(+), 16 deletions(-)
 delete mode 100644 secrets/keystore.cipher
 create mode 100644 secrets/keystore.jks.age
 create mode 100644 secrets/keystore.properties.age
 delete mode 100644 secrets/props.cipher

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8588f60d..8a8018ea 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,9 +60,9 @@ jobs:
     - name: Decrypt secrets
       run: |
         ./scripts/setup-age.sh
-        ./scripts/signing-setup.sh "$ENCRYPT_KEY"
+        ./scripts/signing-setup.sh "$AGE_SECRET_KEY"
       env:
-        ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
+        AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
 
     - name: Build release app
       uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0
diff --git a/scripts/encrypt-secret.sh b/scripts/encrypt-secret.sh
index abbcf559..80f93d0a 100755
--- a/scripts/encrypt-secret.sh
+++ b/scripts/encrypt-secret.sh
@@ -2,15 +2,17 @@
 
 set -euo pipefail
 
-# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
-# to the provided path. Yes it's very needy.
-
 INPUT_FILE="${1:-}"
 OUTPUT_FILE="${2:-}"
-ENCRYPT_KEY="${3:-}"
+AGE_KEY="${3:-}"
 
-if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
-    openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
-else
-    echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
+if ! command -v age 1>/dev/null; then
+  echo "age not installed"
+  exit 1
+fi
+
+if [[ -n "$AGE_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
+  age --encrypt -r "$(echo "${AGE_KEY}" | age-keygen -y)" -o "${OUTPUT_FILE}" < "${INPUT_FILE}"
+else
+  echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
 fi
diff --git a/scripts/signing-setup.sh b/scripts/signing-setup.sh
index 2d5c5d88..4ba5d5d2 100755
--- a/scripts/signing-setup.sh
+++ b/scripts/signing-setup.sh
@@ -3,11 +3,11 @@
 set -euo pipefail
 
 ENCRYPT_KEY="${1}"
-TEMP_KEY="$(mktemp)"
+KEY_FILE="$(mktemp)"
 
-trap "rm -rf ${TEMP_KEY} 2>/dev/null" INT TERM EXIT
+trap "rm -rf ${KEY_FILE} 2>/dev/null" INT TERM EXIT
 
-echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
+echo "${ENCRYPT_KEY:?}" > "${KEY_FILE}"
 
 function decrypt() {
   if ! command -v age 1>/dev/null; then
@@ -16,8 +16,8 @@ function decrypt() {
   fi
   SRC="${1}"
   DST="${2}"
-  age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
+  age --decrypt -i "${KEY_FILE}" -o "${DST:?}" "${SRC:?}"
 }
 
-decrypt secrets/keystore.cipher keystore.jks
-decrypt secrets/props.cipher keystore.properties
+decrypt secrets/keystore.jks.age keystore.jks
+decrypt secrets/keystore.properties.age keystore.properties
diff --git a/secrets/keystore.cipher b/secrets/keystore.cipher
deleted file mode 100644
index 4cc091ccdc32fdb77565c6c549988fababfa9c91..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2643
zcmV-Z3as^EXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zW1a57|CZ*(~@Y(h3R
zGDdMYHfm5>Fm*#=LNIAKQe%2rT6bklZbofqcufjLK|w23FK{<@OLTZoG<R8AFGx~B
zVs}ANGIcj<K|*FqHFs5XSY&c+SV;;kEiE8qW^zI}aXCUyH91UXNmXTINJKVyI6-4j
zV`VjAH!DR_az$8DI5&DkOk)b34Rm;?*<~*zC?^-qJ~zx$572@hIDIs;<$0U|y-d8#
z9w;WAUTbyiC_49m?$Qc}%jb#<oQu!n{y>8IA+G`^TuTN~cyx={Q)g-Pl0VP%5-a!!
zUwV}^PI*Jg*N$nXSRn7@zKNo>$vg0wZ~lSW{B(tkaFvCy6%)smdP0#qDI*JZ?#$Wy
zL=RyEJXZ0h{+du*=MJhX6_eTXa@#s-uP=aU(6#M^Eyk)IJcycV_NdM%qhfsc4^&d7
z%$~_|KqUGJv>=I4EY)nin||F&h@kD5d0Q_wP-1f?uaF&-1r6`hOH%#K_Uhj$jwI%@
zxxdiAiv%`xXPsZ~hXm7ClY~g|miEsqvEWhea4RPb>wYW%!1Y&b_Qwd2ysU2lBf;1h
zsRbu1TWIMUi;wARZ07k=0oN|zaju&pgrN`6uIiRQ(N>gnIjyf~kKs@oq1$N_I|fHB
z-jmVdW*1KYk3w%l<ehX6k4LM5zgB9&@dXWEtMofU(@Lsd;&gtr4=(k3D_zWUyiRHQ
za6yXX*j^tT`VhW*0mhBJ2=36GY=;~&*Qf`iml2{W;q3xwgTQ`NnCQizT!rCsCFv1c
z02u}TU^Ubh?LW4os&dk!%C@nhL(CXl9I7Khz4ryJ$1PFO>H4);oi?^{vr&vgVz?XJ
zG+(Fkq2V{Zo2cl~tK?xTt#hhWSFOJ=PqVS;*DE!}|1%`H0F~j4hEkz<W1ylr<g?n<
zem4~Or#pFpAU_^dryNUC5!OF7^2F<B&fZ@HMO7KWs;6&MigsJ=N^wn(-cYrM^3#nT
zL39w(;A_UQDitgkDZURrmvT``c8Wf+56!yM2qXKxc+ZTKkAa37u#@|0ky+aiFM4}w
zN>?w)tep=pXWbR}!t5p215~&F6?}GfplnvNCeV1PVpM)D4ka}1BtZx=i!Pbw4(=4r
zv`|9r=;gx>@HzY+%A<f+ZgO0rvUy+>BM+m5nYU4%vH_1TUA#U)S-2mn_Jug27bI=t
z6poz<s|!DiKo8kn?DNq5*q8mQn)4^u#U5j8Ygly6a!i~ALYYHh0r8)Z**#(YkJ`@c
z@eKIqO9uCHblST=OHj!)@gg=ni`o5=$pWwE9g%TdaL{zPjXaop``pBKop}yaQu)-{
zlS(8@GtFMsAn<`IL7gc~H>xgfozTL}^9EmZ@0>iI<VQ+T%gvaQ4x|q}0YJ=ClpGoD
z%s^#V!z4c!J6G}w3UqNh1nU|%!lMo9w7oZV{-P)cD81}sr?zv(?I)8YTIU44Cx@_3
z$$xP_ku9BmA@7wFM}|^x5m}^3R6DdYFFEZkhKys%vDOrDjrH0Mhe%xZ&_4~ETQM)-
zXdOhoOzS5la7c6Gy0&lCrY5@?o+jD0$8}WcrefdYYmBoIB6)m_%{*V*g-)A?<&fUU
zBFtoOkgcY**$;Hh$+l4cle97c?3F=+64z(rB*|2FgI*d}{#vGFhEQs-jLNQox6s4$
z{sgL#H9k(0kr+j>@O=<IWP7?eU*6{!Db-jN<pkvJQ(LH<jYj#LORVTqR~A$^Bj$Uz
zWqc8xZan~>wV*rmNv8>(LHVJ4BEA${YyIpm4OmkcAfAGZYOcQ&7q-<kP=z{X^@C|)
zU?JGy@b2g}LZh*k<@z>}`%A6I3JVGQz3T84`q{SgpfwU?u<oO($0l385*7j#C)plC
z!*h5PaBUXS|6g8nfpPDd4g0C$eh-nS>Umm<|E05t<CLa&ph`!5*1T-|f6cMuX3T2*
zR1RAlF!#Q-uP>X3exT|9sZ=@__hEYE%1JV)*j|c<O7f=RvT8GEVQjTz5{H?G{v5a;
z!R$wcxu(GiMx7C5j?<4_-LgAr+Tdfx2v%PPN5Fzh(Kko~D+>7a<(e_}MGYL&^|;ce
zlj9-HNrOU`jkhv~guj-LEynQO?6WsQ{QSh?h#0Nix@V~OKeL*UmVZik3m-5A?ACFT
zPT8@REvD3eWd_o{Gq>&7EA3ed#u@DEu6o4KO+Hpu5eAKLe~55@xnaugA<&;)9Um>#
z7)^ThqyYkem|#+c6s~r4h#crvf44@*wq84?cJdiVFoAGK2$UK-7pz6r*F~%zoFuY<
z)y0p^if$1<`(HI{y2%^w|Mf&c>VHc=zZZ{uMr&R?9FqMFo|U9F1H5Ogc}ExkUOz9z
zI?Qm-WBsN{>o)8dD;`kXL!zk8E}Y?+_9$C`LY1Ao*!56hTx#!1ZVKGH%=wY;dk&S{
ziRlD;4(6Xe(1V3p^4CN2PY`>O&VJ>bAR|ZSDalPyI@RZcMu?=Hg=-QDxvWG2c1i%R
zR7xQ2E$4Rm6}~yEfMNl8mN0Ke(>gP;`#T+G06_RJu${9**HcM9=kyl2CtUC;&?9*j
z6s{cT7GiQ3ae>@SwI7a_APOqAPy1OMDle%a);Qc<&Bk2lbRLSZPxk=P_2~H2VHGQl
zi^RJAdn7ZXCA^MbA{*c85)_fKBW`GECp5lKvoSGv4&)QAiTYDz^{AYbb<RwO<|=BB
z;_S4ku64QXKto>^x}@d2Qmocy#A9l#eA9F%m5JPK^Mx!K7J}5!Co;BB8Q%DrPh5XK
zyC{!+LpsX@F5t{`7(#4|-m*Wr2H$0N1PGlHM(JZl)0I89I(a4WQ-0y&NH<~GqIq?n
zVnAVxc`s7XYUl~Qh6SKaS5eQpDQa$JeO^mkyYywX<nYIFwdJ1!&#ut-5Z_KAltKtg
zL01N9#iKyTZX;9_;4LvJ`N+<q%eZ!%>im1A*NF#A1gN|cA!KMbq&LU(2`J{-b`!in
zd=A*kv1F>*Fx?G&jr5dMpD)&0^#A(D&2HE^l}$1YVo<_^_#Bz3J-WHgKU|Y`nIQHB
z<1VNi{0WblA<d=Hn;EPf7W<WeBgT4a(~1JQ^M>3;PAJZaF?jJ7To@(jexkv2>6!co
zv>0ml@`_CvYngu*?Pv4+UNE4_;H-_#T*i!UpP|ch6T{YtZM<|fI(0$PkpqLP{YpkJ
znQ@U^bz;k^D_!Q~-OG_3JS`>jMtd>GHNH5l1QH~nhD7RAJ%R(Z5pwUQ9(;VpO2Z01
z*`jmXSqO4YWTI7eco|@;U2KrCnRCYyYxKv!=gY-N=n;LC68OSrFon^Zl=@)3yRJu1
z9}BnIz1G_+NfjykicFKZUhj-hT|XGzv&7=W&fF#6#96M9=~-Pw42#f{0|r)X*XpV(
z65fIn2rmcUb@;lm+$<$TWefG8kGb}0k=7OZpO^jhONM;nDrf0m+=r}TUzb%WLSg*V
B3qb$?

diff --git a/secrets/keystore.jks.age b/secrets/keystore.jks.age
new file mode 100644
index 0000000000000000000000000000000000000000..605a2181748337dacbec9f7b5d792058cbb80a9e
GIT binary patch
literal 2643
zcmV-Z3as^EXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV&WLI=?Wob|`FHS^j
zWn@V)c5pE;RCY#hP+?+fQA{#<M@BMLQh0iASZfM1c5`GiHh5GvOmcZ+Ls>{LaA`I|
zFL_dQPir+}Zc|E4Vp(K#LO3yKQ!olGEiE84R#JIyc~(Mmd1PrwL`^eEYH(|9Mo>w1
zaCCWMH!@mDdUs5BbxJmDSy>8<8Hw${B|j3IZJ6IHX>v)=hsbZ}2L6UDY#cte*IiG9
zrI?0S$B<N=hn)170Y7vtsi+``V*~j1h(p98%C8y)L4RbZ(gniQr;3IJVa{nriE$#~
zYM_86>y`Yvn5G$Pj3k~V^;J<CprQ)$T0U~2tv?_^JT)(QnwKLbKAJqRfM~afMIsZK
z13x?aiP>4&%W%x*>&a$i>=i7-C21;sZfTGOhm#8i%yM<KypCaY@8;Z$z;ycIxBf8j
z_J*sfi18;z#cvzNp~}{=BbO3D;i(d1vxaey*|&7q(}&<FBFZaP6V5;_(>|`gmh>dk
z!@Lg@32xC7FGLFNwW2r%F&-dP(y>B=Dl!^p^iUv9Hy`(kw32NG>)60+C<5;bj!e^J
zX3eVB(Xh8Q!9^jF#O)*}eCKJHLHos36pnEW8fEjVQ_;i#OdL0%pKQ9WOJD6j{BPhP
z833`C_+_6qhLR<jsbXsRqm6bW>cG?h_0@}{S9_77uT;1HDmH#RAXQc~1h#~Ff`O1i
z6#X~V&}N~G?ra9$OGor-M!6|e_Ghmlc{V}fZMDz2NCs0V72Ov+phSb$9p_d3ZEdcN
zy26Ftlx!<cHSq>zlXSQjnbEX3RK5dKG%`Pm78d{;*ncF4c{LfBON=*`$d6SIFf7!w
zg%X(+x5%cZ;H72ev-NO6gOiPlN9z*7V}#eRU(?~POdUW5WRdTcIZi;p+2b&En*x9|
zd5zL@cq+2f3sOmuxP+7|%2(H1>z%Fz^t8YV+)mE6_Tx65F4Vh0VGR#B=?tGHFXzt1
z#kcaX#RcMYwS73Nd|NCKoeV(Vj%ZqRM0Wgz!AR3NM*P&!-nKOvE~z3ubr>U>!&7(4
z{Y?CEGU?>VYe{ZId2VuVZoT|P5hs)7;%Gn`1T59Wc8oNx1jSE)zE&|9!+knbg@T36
z_dcRQh0#<w#5VEuk8S+!9e5GNn|$1<rUBctjK*-<Iz1R^7tv|{F|7kNi~p2L3xN4^
zw13oQ`T?xCtg--b!wggd6A{%UB1AF!!(_Aly2#rzhz?)1B!$1{9YRT-*BpeMx&Qnt
z8O&6MgrarbUTP0iuEpiBc=MuCYIWB@UC9dYa<?3-qGM1<SwB7lARhCMXN}jGW9_QH
zp8t{4)0&PXWip!U1=gf%3#kH_H30PrM=DaSf50a_Yp?}p>`Jri6B!1oh$CX_jXkCG
z$>f#al%UBZSorKu9!JkSUG1t!bRS|-7PnM}Ckh+<5?k?M+<UV;iD>`-UF~RPxeM6)
z()DG({!+KKQU@ysx^uqZ*r;C?gvr(qj4j8#vG`^kG>8Jr4yL!r0DUs3>)84btW|&%
zi}Odrt&}?h*!h{DMIxBeNHR3&4ol;u6|BFI?-{}xB*mZdovs9;ypdI~<aEMq#YzX|
zM{;-3fr1!&*!iT#snPz&Rz5>dkTK=Z%G{SLoZ?+R^*N^-#z!wVs3eY*B#((4Kk_eu
zAKVA80m=iu9Ttex44qv9bbHm=8Q5G2ppZt`W`o-g=7h<>&Mrj!Xyc=c=wR~1KBJ8H
zLOq3a003xM%&Ymci$r<gkhn?~Q>CwAiBDj&)z9hKYsQM_8pfjdfi$GwZZfsYna*MG
zVOUq>hsJbJ&?SHXelmGVakC?;hHXTIA(?s~5qV15Qt&|BJ^f~LZ0$rAX5$vn>bs-P
zNVw)#a+SvqzzaYk9c4BW0RMZJzD3<*B^b7k;txMU*=qk{L}bijdFX_*4A&NuG2Vi|
zP#3jH<utK}+BTH-XsdMiO1GplBj4XwTI*Hf1ug0f0X6WwqLmSXJGb1<`)N)4m<&b6
z6sV)`Sa+<POmMm11f(DQFZCu#YpjzNg7S(yW0IZd*g*Oj(51c@(KZY#{CQ4#Ub+gS
z#Do0n!f>ZqcZqKR1*_^tHJC@?VM5yzmxl~e(=l0#O7We5*H%^zZyJhM7VeC%izgxa
z$9<<s;kN1JrWy9YG6PD8GuLwj;Ov=|qA;f@8!(}ya*?Dro9v9#YKrit1k9vlEIzB2
z5^HCdzH+*uj^P5yo^Rtf@aHy0kAIGpdlauNUbj1<H7&1=PK2am-fby_sEDd%f6=B=
zGV-p+cl{3TeEj+}U3jV%3Ew;_(J*NVUi8B|D(QSet|@6a$y-N<U=kBW$p?`A2uDrM
z6`!O*t6Z)VFs_sTcWUoML$SnLmMaCDw)9?@G(ZUUy6RBaOBIGE7^2%4hyq>H6-@sm
zt%B6~&V0_1GF#n=uiDJ2HopP&BKxYVR98+@w<3vFHbomS+k}vV%?mJN2KVo@g!?EI
z?@?GGNqq8yS}r^^xunj+d|`nYh!>`SxKAHCnI(U0oOmlFJ^&!jT0BO#T!CVza^|RW
zTL;yS=fQbhy6A9v4Q6qYj?VK_bUrrR^gc@l+aLnIoa(2=4zwU*bren`gQ5imKLI!a
za<I=*j%efU3_gB7qzN(vvGI^$@kE1z8R-tnvR<<VVdI=QCQz7|P^%eVjYS=5r>4*1
z6fvgX{{1huN5#`-_^eENVfpiH$H?Rn%s{sqD(ahPrx7QTt+?bgfC|NkW$<QK06Q1`
zNoMEZ4L#8jn>tp#SHF6$BgI8<3l&K;yKbI(h@xcSwI+3!@1vs-mmfE{e=iQ59L_$Y
zS}4L0jXTqZ{b6hfUc4tfZ(IT_G}S0G*?j}Y6U=786tnvILCG4_d8$sICMXbrYu^iA
z=$Hu%UpA!ws+qTpug#w~Pdv7>S=_vi&t#dZmIG&M{J<M*wUrida~WiseO79|<-3E@
z_Rx|^Yk(WWXby)-&^^@WjlXBLmErE=p7^JyJmh4K;1gNfi<$*0M2{lTt8H=0EfY&c
zkbd$qHEQUdOMGNB2iT|r9-O2}#3lQqZ(-&0?jiRXV6-u9ZY8VScFZ@gs8-Im$q~p2
z`S_L)TP$1i{{BY3KUkq?Z)ensBbpKO)h6exyJX%1JLG$a^~s#F3`XTPdv(8|27J~x
z+AQ4R8<V06BX;xZif`m$Nl++)<O46Z55^vVkTQc<nP}9DC%4=SN`P#9Z|(@q$Hqqu
zkO`iSR?ZB%=gdk>h6c}%>(e*o7c6A!8hF&Fo%-#FNE9Xjy)>%Ptzbi>J63McTg|wg
z$!<}eYTtPYaFOLE;~YJ-4ZlfnJlUm)<evF%sd`R@{Tng1lt%Tq_ATwF+ZrJ-q>^@K
zh%49+-Bflf-B<#+Ah)0pHgb2_W^4d<4e6sb2zQ`2b0@NNXHy_MwCf0g&^_g#T%M2;
B0FM9w

literal 0
HcmV?d00001

diff --git a/secrets/keystore.properties.age b/secrets/keystore.properties.age
new file mode 100644
index 0000000000000000000000000000000000000000..c6589c2536dd3ab7a1e386acae2e406bd444299a
GIT binary patch
literal 315
zcmV-B0mS}cXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVbXKQ0^Vn||jYD#QT
zD|bzHY+6TBX+~&nOHOfZQcYxYd3jAjW_DS1L`4cjY<EdgS8-!SMN2|LX)jt!K~haJ
zYf4jTNkdF!a94UqXe%~hct<lrT4xF^EiE8PFl$0fOJ_GQW?6M%cW`J&acDJnT4Q-a
zLpEz+N^eJXaAr?dR&IAIFhL4&4j&u2VFr`;^f~ef2x-i2RrcTr^tsU_h-G|y{l=!6
zfQgRZzFipE?rHHc^m7IwX3U|S$98fji3zTm0T297`BAA!D1~z%*Vd0RJ%swDKQp|e
zJPSAgz>R9Dj!OJ}6^VXjF3^4sD}==~$5(_MQlivL?W6r%_HN;_V9Wz{xEI&z16QG5
NE5HO{1epoTCq_=Vew6?K

literal 0
HcmV?d00001

diff --git a/secrets/props.cipher b/secrets/props.cipher
deleted file mode 100644
index a76abef6b810c3e686f6c6fcb4e597c1eac7eb63..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 315
zcmV-B0mS}cXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV}O=fyGYjbHyWKu9i
zdSY`+T53mPRCQEtW@j)~Zh0^^b5~|~Z)7(}RBH-SD>YMNMpSl5W@%?PZBbNEXGUx}
zZg4VcVpBFpPBVH}LV0a4OG{QqZdD2`EiE8pOD{?=MQ%?|IdCgdV@*>wMp`&AdN(yn
zSu|O8aCkF!Z8uJ3RVy_)D@6*g1~r1}i&k4~b^BSq$(1JLJs;5uE7|-zT4ImV4j)Kf
z^Ec2B8gre}Ez`0G8uRX>9Tk`Rbn}1dB*W~W^Q__`;=WrgWS-VgNxt#p2-j!}APzi!
zn+Zo4cc8TX85)TGoHV&|oM^KT0pgOSFKn1rKxVs*01y$mNLfuuy{X8V{&CES4BgDt
Nsa!;oWAX8ehs@u6e+&Qs