From cafd3fe0117eea2198c9f7ebfcc62f52f2b38372 Mon Sep 17 00:00:00 2001
From: Marcel Pennewiss <github@pennewiss.de>
Date: Sat, 23 Jan 2016 16:43:19 +0100
Subject: [PATCH] Add option to insert secret via keyboard input to prevent
 storing privat key on server. This did not break current behaviour and makes
 secret file optional. Also write variable "secret" in lowercase just like any
 other variable.

---
 contrib/sign.sh | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/contrib/sign.sh b/contrib/sign.sh
index 0923b2dc..ea9405a9 100755
--- a/contrib/sign.sh
+++ b/contrib/sign.sh
@@ -2,17 +2,19 @@
 
 set -e
 
-if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
+if [ $# -eq 0 -o $# -gt 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o \( $# -eq 2 -a ! -r "$2" \) ]; then
 	cat <<EOHELP
-Usage: $0 <secret> <manifest>
+Usage: $0 [<secret>] <manifest>
 
 sign.sh adds lines to a manifest to indicate the approval
 of the integrity of the firmware as required for automated
-updates. The first argument <secret> references a file harboring
-the private key of a public-private key pair of a developer
-that referenced by its public key in the site configuration.
-The script may be performed multiple times to the same document
-to indicate an approval by multiple developers.
+updates. The first optional argument <secret> references a
+file harboring the private key of a public-private key pair
+of a developer that referenced by its public key in the site
+configuration. If this parameter is missing, you will be
+asked to type in secret key. The script may be performed
+multiple times to the same document to indicate an approval
+by multiple developers.
 
 See also
  * edcsautils on https://github.com/tcatm/ecdsautils
@@ -21,9 +23,17 @@ EOHELP
 	exit 1
 fi
 
-SECRET="$1"
+if [ $# -eq 1 ]; then
+	stty -echo
+	read -p "Type in secret key: " secret
+	stty echo
+	echo
+	manifest="$1"
+else
+	secret="$1"
+	manifest="$2"
+fi
 
-manifest="$2"
 upper="$(mktemp)"
 lower="$(mktemp)"
 
@@ -35,7 +45,11 @@ awk 'BEGIN    { sep=0 }
                 else       print > "'"$lower"'"}' \
     "$manifest"
 
-ecdsasign "$upper" < "$SECRET" >> "$lower"
+if [ $# -eq 1 ]; then
+	echo "$secret" | ecdsasign "$upper" >> "$lower"
+else
+	ecdsasign "$upper" < "$secret" >> "$lower"
+fi
 
 (
 	cat  "$upper"