From 6dc3ae06bbf2597d6da68b4a7545f6b1da28e7b8 Mon Sep 17 00:00:00 2001
From: "Lance R. Vick" <lance@lrvick.net>
Date: Fri, 22 Dec 2023 23:28:14 -0800
Subject: [PATCH] initial containers-policy.json compatible signer script

---
 src/sign.sh | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 src/sign.sh

diff --git a/src/sign.sh b/src/sign.sh
new file mode 100644
index 0000000..3151a7d
--- /dev/null
+++ b/src/sign.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -eux
+
+# Generate container image signatures in PGP sigstore format
+
+REGISTRY=${1?}
+NAME=${2?}
+
+ID=$(docker image ls --format '{{.ID}}' --no-trunc "${REGISTRY}/${NAME}")
+DIR=sig/${REGISTRY}/${NAME}@sha256=${ID}
+SIGNUM=1
+
+mkdir -p ${DIR}
+
+[ -f ${DIR}/signature-1 ] \
+    && LASTSIGNUM=$( \
+        find ${DIR} -type f -printf "%f\n" \
+        | sort \
+        | tail -n1 \
+        | sed 's/signature-//' \
+    ) \
+    && let "SIGNUM=LASTSIGNUM+1"
+
+printf \
+    '[{"critical":{"identity":{"docker-reference":"%s/%s"},"image":{"docker-manifest-digest":"%s"},"type":"pgp container image signature"},"optional":null}]' \
+    "$REGISTRY" "$NAME" "$ID" \
+    | gpg --sign > ${DIR}/signature-${SIGNUM}