Add option to insert secret via keyboard input to prevent storing privat key on server. This did not break current behaviour and makes secret file optional. Also write variable "secret" in lowercase just like any other variable.

contrib/sign.sh

@@ -2,17 +2,19 @@
 
 set -e
 
-if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
+if [ $# -eq 0 -o $# -gt 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o \( $# -eq 2 -a ! -r "$2" \) ]; then
 	cat <<EOHELP
-Usage: $0 <secret> <manifest>
+Usage: $0 [<secret>] <manifest>
 
 sign.sh adds lines to a manifest to indicate the approval
 of the integrity of the firmware as required for automated
-updates. The first argument <secret> references a file harboring
-the private key of a public-private key pair of a developer
-that referenced by its public key in the site configuration.
-The script may be performed multiple times to the same document
-to indicate an approval by multiple developers.
+updates. The first optional argument <secret> references a
+file harboring the private key of a public-private key pair
+of a developer that referenced by its public key in the site
+configuration. If this parameter is missing, you will be
+asked to type in secret key. The script may be performed
+multiple times to the same document to indicate an approval
+by multiple developers.
 
 See also
  * edcsautils on https://github.com/tcatm/ecdsautils
@@ -21,9 +23,17 @@ EOHELP
 	exit 1
 fi
 
-SECRET="$1"
+if [ $# -eq 1 ]; then
+	stty -echo
+	read -p "Type in secret key: " secret
+	stty echo
+	echo
+	manifest="$1"
+else
+	secret="$1"
+	manifest="$2"
+fi
 
-manifest="$2"
 upper="$(mktemp)"
 lower="$(mktemp)"
 
@@ -35,7 +45,11 @@ awk 'BEGIN    { sep=0 }
                 else       print > "'"$lower"'"}' \
     "$manifest"
 
-ecdsasign "$upper" < "$SECRET" >> "$lower"
+if [ $# -eq 1 ]; then
+	echo "$secret" | ecdsasign "$upper" >> "$lower"
+else
+	ecdsasign "$upper" < "$secret" >> "$lower"
+fi
 
 (
 	cat  "$upper"