From f811845778c64b6197e8e3a72a9dcefe0ebf2f02 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Tue, 24 Jun 2014 15:22:38 -0700
Subject: [PATCH] updates: add example scripts for signing update payloads

This pretty much just translates the signing instructions into some
trivial wrapper scripts to serve as an example on how to do this.
---
 offline_signing/devel.key.pem | 27 +++++++++++++++++++++++++++
 offline_signing/devel.pub.pem |  9 +++++++++
 offline_signing/download.sh   | 16 ++++++++++++++++
 offline_signing/new_key.sh    |  6 ++++++
 offline_signing/print_key.sh  |  8 ++++++++
 offline_signing/sign.sh       | 17 +++++++++++++++++
 6 files changed, 83 insertions(+)
 create mode 100644 offline_signing/devel.key.pem
 create mode 100644 offline_signing/devel.pub.pem
 create mode 100755 offline_signing/download.sh
 create mode 100755 offline_signing/new_key.sh
 create mode 100755 offline_signing/print_key.sh
 create mode 100755 offline_signing/sign.sh

diff --git a/offline_signing/devel.key.pem b/offline_signing/devel.key.pem
new file mode 100644
index 0000000000..ac660a755e
--- /dev/null
+++ b/offline_signing/devel.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzFS5uVJ+pgibcFLD3kbYk02Edj0HXq31ZT/Bva1sLp3Ysv+Q
+Tv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR+tdp1ZsHLGxVwvUoXFftdapqlyj8
+uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm/ZsDFqk2Uvyaoef4bF9r03wYpZq7
+K3oALZ2smETv+A5600mj1Xg5M52QFU67UHlsEFkZphrGjiqiCdp9AAbAvE7a5rFc
+Jf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W6kvIuP+75SrMNeYAcU8PI1+bzLcA
+G3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p5QIDAQABAoIBAH7ENbE+9+nkPyMx
+hekaBPVmSz7b3/2iaTNWmckmlY5aSX3LxejtH3rLBjq7rihWGMXJqg6hodcfeGfP
+Zb0H2AeKq1Nlac7qq05XsKGRv3WXs6dyO1BDkH/Minh5dk1o0NrwEm91kXLSLfe8
+IsCwxPCjwgfGFTjpFLpL4zjA/nFmWRyk2eyvs5VYRGKbbC83alUy7LutyRdZfw1b
+nwXldw2m8k/HPbGhaAqPpXTOjckIXZS5Dcp3smrOzwObZ6c3gQzg8upaRmxJVOmk
+cgCFTe0yUB2GMTEE3SUmuWJyZqECoyQtuiu0yT3igH8MZQpjg9NXm0eho/bXjN36
+frH+ikUCgYEA7VdCRcisnYWct29j+Bnaio9yXwwxhfoee53a4LQgjw5RLGUe1mXe
+j56oZ1Mak3Hh55sVQLNXZBuXHQqPsr7KkWXJXedDNFfq1u6by4LeJV0YYiDjjaCM
+T5G4Tcs7xhBWszLMCjhpJCrwHdGk3aa65UQ+angZlxhyziULCjpb5rMCgYEA3GUb
+VkqlVuNkHoogOMwg+h1jUSkwtWvP/z/FOXrKjivuwSgQ+i6PsildI3FL/WQtJxgd
+arB+l0L8TZJ6spFdNXwGmdCLqEcgEBYl11EojOXYLa7oLONI41iRQ3/nBBIqC38P
+Cs6CZQG/ZpKSoOzXE34BwcrOL99MA2oaVpGHuQcCgYA1IIk3Mbph8FyqOwb3rGHd
+Dksdt48GXHyiUy2BixCWtS+6blA+0cLGB0/PAS07wAw/WdmiCAMR55Ml7w1Hh6m0
+bkJrAK9schmhTvwUzBCJ8JLatF37f+qojQfichHJPjMKHd7KkuIGNI5XPmxXKVFA
+rMwD7SpdRh28w1H7UiDsPQKBgGebnFtXohyTr2hv9K/evo32LM9ltsFC2rga6YOZ
+BwoI+yeQx1JleyX9LgzQYTHQ2y0quAGE0S4YznVFLCswDQpssMm0cUL9lMQbNVTg
+kViTYKoxNHKNsqE17Kw3v4l5ZIydAZxJ8qC7TphQxV+jl4RRU1AgIAf/SEO+qH0T
+0yMXAoGBAN+y9QpGnGX6cgwLQQ7IC6MC+3NRed21s+KxHzpyF+Zh/q6NTLUSgp8H
+dBmeF4wAZTY+g/fdB9drYeaSdRs3SZsM7gMEvjspjYgE2rV/5gkncFyGKRAiNOR4
+bsy1Gm/UYLTc8+S3fq/xjg9RCjW9JMwavAwL6oVNNt7nyAXPfvSu
+-----END RSA PRIVATE KEY-----
diff --git a/offline_signing/devel.pub.pem b/offline_signing/devel.pub.pem
new file mode 100644
index 0000000000..ccee9ee90b
--- /dev/null
+++ b/offline_signing/devel.pub.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzFS5uVJ+pgibcFLD3kbY
+k02Edj0HXq31ZT/Bva1sLp3Ysv+QTv/ezjf0gGFfASdgpz6G+zTipS9AIrQr0yFR
++tdp1ZsHLGxVwvUoXFftdapqlyj8uQcWjjbN7qJsZu0Ett/qo93hQ5nHW7Sv5dRm
+/ZsDFqk2Uvyaoef4bF9r03wYpZq7K3oALZ2smETv+A5600mj1Xg5M52QFU67UHls
+EFkZphrGjiqiCdp9AAbAvE7a5rFcJf86YR73QX08K8BX7OMzkn3DsqdnWvLB3l3W
+6kvIuP+75SrMNeYAcU8PI1+bzLcAG3VN3jA78zeKALgynUNH50mxuiiU3DO4DZ+p
+5QIDAQAB
+-----END PUBLIC KEY-----
diff --git a/offline_signing/download.sh b/offline_signing/download.sh
new file mode 100755
index 0000000000..7363fbf034
--- /dev/null
+++ b/offline_signing/download.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+VERSION="$1"
+GS="gs://builds.release.core-os.net/alpha/boards/amd64-usr/$VERSION"
+
+cd "${2:-.}"
+
+gsutil cp \
+    "${GS}/coreos_production_update.bin.bz2" \
+    "${GS}/coreos_production_update.bin.bz2.sig" \
+    "${GS}/coreos_production_update.zip" \
+    "${GS}/coreos_production_update.zip.sig" ./
+
+gpg --verify "coreos_production_update.bin.bz2.sig"
+gpg --verify "coreos_production_update.zip.sig"
diff --git a/offline_signing/new_key.sh b/offline_signing/new_key.sh
new file mode 100755
index 0000000000..f4a755c4c3
--- /dev/null
+++ b/offline_signing/new_key.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -ex
+KEY="$1"
+openssl genrsa -rand /dev/random -out "${KEY}.key.pem" 2048
+openssl rsa -in "${KEY}.key.pem" -pubout -out "${KEY}.pub.pem"
diff --git a/offline_signing/print_key.sh b/offline_signing/print_key.sh
new file mode 100755
index 0000000000..8a8253d0c2
--- /dev/null
+++ b/offline_signing/print_key.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# If there is no default printer use ./print_key.sh prod-2 -d printer_name
+# List available printers with lpstat -a
+
+set -ex
+KEY="$1"
+shift
+qrencode -8 -o - < "${KEY}.key.pem" | lp -E -o fit-to-page "$@"
diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh
new file mode 100755
index 0000000000..9e77a6f5f3
--- /dev/null
+++ b/offline_signing/sign.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -ex
+DATA_DIR="$1"
+
+gpg --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
+gpg --verify "${DATA_DIR}/coreos_production_update.zip.sig"
+bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
+unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
+
+export PATH="${DATA_DIR}:${PATH}"
+
+core_sign_update \
+    --image "${DATA_DIR}/coreos_production_update.bin" \
+    --output "${DATA_DIR}/update.gz" \
+    --private_keys "devel.key.pem:prod-2.key.pem" \
+    --public_keys  "devel.pub.pem:prod-2.pub.pem"