From a809b672fc289d31b0057f87f461a1ff6cfa6e68 Mon Sep 17 00:00:00 2001
From: Rico Huijbers <huijbers@amazon.com>
Date: Wed, 30 May 2018 17:12:19 +0200
Subject: [PATCH] Add script to sign arbitrary files using the key stored in
 Secrets Manager

---
 sign.sh | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100755 sign.sh

diff --git a/sign.sh b/sign.sh
new file mode 100755
index 0000000000000..8b03ed7f1b92e
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ "${1:-}" == "" ]]; then
+    echo "Usage: sign.sh FILE" >&2
+    exit 1
+fi
+
+
+tmpdir=$(mktemp -d)
+trap "shred $tmpdir/* && rm -rf $tmpdir" EXIT
+
+SECRET=CDK/SigningKey
+
+# Use secrets manager to obtain the key and passphrase into a JSON file
+echo "Retrieving key..." >&2
+aws --region us-east-1 secretsmanager get-secret-value --secret-id "$SECRET" --output text --query SecretString > $tmpdir/secret.txt
+passphrase=$(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['Passphrase'])")
+
+echo "Importing key..." >&2
+gpg --homedir $tmpdir --import <(python -c "import json; print(json.load(file('$tmpdir/secret.txt'))['PrivateKey'])")
+
+echo "Signing $1..." >&2
+echo $passphrase | gpg \
+    --homedir $tmpdir \
+    --local-user aws-cdk@amazon.com \
+    --batch --yes \
+    --passphrase-fd 0 \
+    --output $1.sig \
+    --detach-sign $1
+
+echo "Done!" >&2