initial containers-policy.json compatible signer script

2023-12-22 23:28:14 -08:00 · 2023-12-22 23:28:14 -08:00 · 6dc3ae06bb
parent f2c7343787
commit 6dc3ae06bb
1 changed files with 27 additions and 0 deletions
--- a/src/sign.sh
+++ b/src/sign.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+set -eux
+
+# Generate container image signatures in PGP sigstore format
+
+REGISTRY=${1?}
+NAME=${2?}
+
+ID=$(docker image ls --format '{{.ID}}' --no-trunc "${REGISTRY}/${NAME}")
+DIR=sig/${REGISTRY}/${NAME}@sha256=${ID}
+SIGNUM=1
+
+mkdir -p ${DIR}
+
+[ -f ${DIR}/signature-1 ] \
+    && LASTSIGNUM=$( \
+        find ${DIR} -type f -printf "%f\n" \
+        | sort \
+        | tail -n1 \
+        | sed 's/signature-//' \
+    ) \
+    && let "SIGNUM=LASTSIGNUM+1"
+
+printf \
+    '[{"critical":{"identity":{"docker-reference":"%s/%s"},"image":{"docker-manifest-digest":"%s"},"type":"pgp container image signature"},"optional":null}]' \
+    "$REGISTRY" "$NAME" "$ID" \
+    | gpg --sign > ${DIR}/signature-${SIGNUM}