| #!/bin/bash |
| |
| set -e |
| |
| GCLOUD="gcloud --project=mendel-linux-cloud-infra" |
| PRIVKEY_NAME="mendel-linux-signing-key" |
| PASSPHRASE_NAME="mendel-linux-signing-key-passphrase" |
| |
| export TMPARCHIVE="$(mktemp /tmp/XXXXXXXX.tar.gz)" |
| export GNUPGHOME="$(mktemp -d /tmp/XXXXXXXX)" |
| chmod 700 $GNUPGHOME |
| |
| cleanup() { |
| find $GNUPGHOME -type f |xargs shred -u |
| rm -rf $GNUPGHOME |
| shred -u $TMPARCHIVE |
| trap |
| } |
| |
| trap cleanup KILL INT EXIT RETURN |
| |
| echo Fetching passphrase |
| PASSPHRASE="$(${GCLOUD} secrets versions access latest \ |
| --secret=${PASSPHRASE_NAME})" |
| |
| gpg --batch --generate-key - <<EOF |
| %echo Generating signing key |
| Key-Type: RSA |
| Key-Length: 4096 |
| Key-Usage: encrypt sign auth cert |
| Subkey-Type: RSA |
| Subkey-Length: 4096 |
| Subkey-Usage: encrypt sign auth cert |
| Name-Real: Mendel Linux Release Masters |
| Name-Email: coral-support@google.com |
| Expire-Date: 0 |
| Passphrase: ${PASSPHRASE} |
| %commit |
| %echo Key generation done |
| EOF |
| |
| echo Archiving GPG homedir |
| chmod 600 "${TMPARCHIVE}" |
| tar -C "${GNUPGHOME}" -zcf- . | base64 > "${TMPARCHIVE}" |
| |
| echo Uploading archive to cloud storage |
| ${GCLOUD} secrets versions add "${PRIVKEY_NAME}" \ |
| --data-file="${TMPARCHIVE}" |
