50 lines
1.4 KiB
Bash
Executable File
50 lines
1.4 KiB
Bash
Executable File
#!/bin/sh
|
|
# keygen.sh — generate an Ed25519 keypair for signing release binaries
|
|
#
|
|
# Usage:
|
|
# sh scripts/keygen.sh <developer-name>
|
|
#
|
|
# Output:
|
|
# ~/.keys/<developer-name>.key — private key (KEEP SECRET, never commit)
|
|
# developers/<developer-name>.pub — public key (safe to commit here)
|
|
#
|
|
# Requirements: openssl 3.x
|
|
|
|
set -e
|
|
|
|
NAME="$1"
|
|
if [ -z "$NAME" ]; then
|
|
echo "Usage: sh scripts/keygen.sh <developer-name>" >&2
|
|
echo "Example: sh scripts/keygen.sh mchusavitin" >&2
|
|
exit 1
|
|
fi
|
|
|
|
PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
|
|
PUBLIC_KEY_PATH="$(dirname "$0")/../developers/${NAME}.pub"
|
|
|
|
if [ -f "$PRIVATE_KEY_PATH" ]; then
|
|
echo "Private key already exists at $PRIVATE_KEY_PATH" >&2
|
|
echo "Delete it manually if you want to regenerate." >&2
|
|
exit 1
|
|
fi
|
|
|
|
mkdir -p "$HOME/.keys"
|
|
chmod 700 "$HOME/.keys"
|
|
|
|
# Generate Ed25519 private key (PEM format)
|
|
openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
|
|
chmod 600 "$PRIVATE_KEY_PATH"
|
|
|
|
# Extract raw 32-byte public key and base64-encode it
|
|
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
|
|
| tail -c 32 \
|
|
| base64 > "$PUBLIC_KEY_PATH"
|
|
|
|
echo "Private key: $PRIVATE_KEY_PATH (DO NOT share or commit)"
|
|
echo "Public key: $PUBLIC_KEY_PATH (commit this to the keys repo)"
|
|
echo ""
|
|
echo "Next steps:"
|
|
echo " 1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
|
|
echo " 2. git push"
|
|
echo " 3. Rebuild any release binaries to include the new key"
|