Add script to create new codesigning key pair
codesigning/create_codesigning_key_pair.sh: Add script to conveniently create a codesigning key pair.
This commit is contained in:
parent
b0f975c904
commit
eef56f2300
50
codesigning/create_codesigning_key_pair.sh
Executable file
50
codesigning/create_codesigning_key_pair.sh
Executable file
|
@ -0,0 +1,50 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# This script creates a codesigning key pair and copies the resulting certificate and key to the directory specified by
|
||||||
|
# the first argument to this script (else $PWD)
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
temp_dir="$(mktemp -d --tmpdir codesigning.XXXXXXXXXXXXX)"
|
||||||
|
|
||||||
|
readonly codesigning_subj="/C=DE/ST=Berlin/L=Berlin/O=Arch Linux/OU=Release Engineering/CN=archlinux.org"
|
||||||
|
readonly codesigning_cert="${temp_dir}/codesign.crt"
|
||||||
|
readonly codesigning_key="${temp_dir}/codesign.key"
|
||||||
|
readonly codesigning_conf="${temp_dir}/openssl.cnf"
|
||||||
|
readonly output_dir="${1:-$PWD}"
|
||||||
|
|
||||||
|
cleanup() {
|
||||||
|
rm -fr "${temp_dir}"
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_ca() {
|
||||||
|
cp -- /etc/ssl/openssl.cnf "${codesigning_conf}"
|
||||||
|
printf "\n[codesigning]\nkeyUsage=digitalSignature\nextendedKeyUsage=codeSigning\n" >> "${codesigning_conf}"
|
||||||
|
openssl req \
|
||||||
|
-newkey rsa:4096 \
|
||||||
|
-keyout "${codesigning_key}" \
|
||||||
|
-nodes \
|
||||||
|
-sha256 \
|
||||||
|
-x509 \
|
||||||
|
-days 365 \
|
||||||
|
-out "${codesigning_cert}" \
|
||||||
|
-config "${codesigning_conf}" \
|
||||||
|
-subj "${codesigning_subj}" \
|
||||||
|
-extensions codesigning
|
||||||
|
}
|
||||||
|
|
||||||
|
copy_certs() {
|
||||||
|
local _output_dir
|
||||||
|
if [[ -d "${output_dir}" ]]; then
|
||||||
|
_output_dir="${output_dir}"
|
||||||
|
else
|
||||||
|
_output_dir="${PWD}"
|
||||||
|
fi
|
||||||
|
cp -- "${codesigning_cert}" "${codesigning_key}" "${_output_dir}"
|
||||||
|
}
|
||||||
|
|
||||||
|
trap cleanup EXIT
|
||||||
|
generate_ca
|
||||||
|
copy_certs
|
Loading…
Reference in a new issue