Add option to insert secret via keyboard input to prevent storing privat key on server. This did not break current behaviour and makes secret file optional. Also write variable "secret" in lowercase just like any other variable.

contrib/sign.sh

@@ -2,17 +2,19 @@
 
 set -e
 
-if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
+if [ $# -eq 0 -o $# -gt 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o \( $# -eq 2 -a ! -r "$2" \) ]; then
 	cat <<EOHELP
-Usage: $0 <secret> <manifest>
+Usage: $0 [<secret>] <manifest>
 
 sign.sh adds lines to a manifest to indicate the approval
 of the integrity of the firmware as required for automated
-updates. The first argument <secret> references a file harboring
+updates. The first optional argument <secret> references a
-the private key of a public-private key pair of a developer
+file harboring the private key of a public-private key pair
-that referenced by its public key in the site configuration.
+of a developer that referenced by its public key in the site
-The script may be performed multiple times to the same document
+configuration. If this parameter is missing, you will be
-to indicate an approval by multiple developers.
+asked to type in secret key. The script may be performed
+multiple times to the same document to indicate an approval
+by multiple developers.
 
 See also
  * edcsautils on https://github.com/tcatm/ecdsautils
@@ -21,9 +23,17 @@ EOHELP
 	exit 1
 fi
 
-SECRET="$1"
+if [ $# -eq 1 ]; then
-
+	stty -echo
+	read -p "Type in secret key: " secret
+	stty echo
+	echo
+	manifest="$1"
+else
+	secret="$1"
 	manifest="$2"
+fi
+
 upper="$(mktemp)"
 lower="$(mktemp)"
 
@@ -35,7 +45,11 @@ awk 'BEGIN    { sep=0 }
                 else       print > "'"$lower"'"}' \
     "$manifest"
 
-ecdsasign "$upper" < "$SECRET" >> "$lower"
+if [ $# -eq 1 ]; then
+	echo "$secret" | ecdsasign "$upper" >> "$lower"
+else
+	ecdsasign "$upper" < "$secret" >> "$lower"
+fi
 
 (
 	cat  "$upper"