archy/scripts/sign-catalog.sh

44 lines
2.0 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# One-step release-catalog signer.
#
# Run: bash scripts/sign-catalog.sh
# Then: paste your 24-word release master mnemonic, press Enter, then Ctrl-D.
#
# It signs releases/app-catalog.json in place and checks the signature was made
# by the expected release-root key. Your mnemonic is read from the terminal only
# (never stored, never in shell history, never passed to Claude).
set -euo pipefail
REPO="/home/archipelago/Projects/archy"
CATALOG="$REPO/releases/app-catalog.json"
EXPECTED_DID="did:key:z6MkkidEnEpo6qHMCNSZoNKWtvQvxq3whnaME9wGgEFhq7ur"
# Use ONLY the prebuilt signer. If it isn't ready, stop cleanly — never compile
# here (compiling caused the earlier hangs). Claude builds it in the background.
BIN="/tmp/archy-sign-bin/release/archipelago"
if [[ ! -x "$BIN" ]]; then
echo "⏳ The signer isn't ready yet — Claude is still building it."
echo " Wait until Claude says 'READY', then run this again. Nothing was changed."
exit 0
fi
SIGN=("$BIN" ceremony sign "$CATALOG")
echo "════════════════════════════════════════════════════════════════"
echo " Paste your 24-word release master mnemonic below, press Enter,"
echo " then press Ctrl-D on a new line."
echo "════════════════════════════════════════════════════════════════"
"${SIGN[@]}"
# Verify the signature is present and made by the expected key.
echo
if grep -q "\"signed_by\": \"$EXPECTED_DID\"" "$CATALOG" \
&& grep -q '"signature":' "$CATALOG"; then
echo "✅ SUCCESS — catalog signed by the correct release-root key."
echo " Tell Claude \"signed\" and it will commit + push for you."
else
echo "❌ Something is off — the catalog is NOT signed by the expected key."
echo " Expected signer: $EXPECTED_DID"
echo " Do NOT commit. Check the mnemonic and re-run, or ask Claude."
exit 1
fi