mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 19:06:34 +00:00
46 lines
1.5 KiB
Bash
46 lines
1.5 KiB
Bash
|
#!/usr/bin/env bash
|
||
|
|
# Generate an Ed25519 keypair for firmware signing.
|
||
|
|
#
|
||
|
|
# Output:
|
||
|
|
# firmware-signing.key (private, PKCS8 PEM, 0600)
|
||
|
|
# firmware-signing.pub (public, SPKI PEM, 0644)
|
||
|
|
#
|
||
|
|
# Use cases:
|
||
|
|
# 1. Local dev: drop the .key into the server's dataDir
|
||
|
|
# (/var/lib/betterframe/firmware-signing.key) — server picks it up on
|
||
|
|
# next boot. The server auto-generates one if missing, this script is
|
||
|
|
# only needed when you want a reproducible / shared key.
|
||
|
|
# 2. Cloud deploy: paste the .key content into the
|
||
|
|
# BF_FIRMWARE_SIGNING_KEY env var on your hosting platform (Coolify,
|
||
|
|
# k8s secret, GitHub Actions secret, etc.). The server detects the env
|
||
|
|
# var and prefers it over the on-disk file.
|
||
|
|
#
|
||
|
|
# Pinning on kiosks: the public key gets shipped to kiosks via the
|
||
|
|
# /api/kiosk/firmware/check response — no manual distribution needed.
|
||
|
|
|
||
|
|
set -euo pipefail
|
||
|
|
|
||
|
|
OUT_DIR="${1:-.}"
|
||
|
|
mkdir -p "$OUT_DIR"
|
||
|
|
priv="$OUT_DIR/firmware-signing.key"
|
||
|
|
pub="$OUT_DIR/firmware-signing.pub"
|
||
|
|
|
||
|
|
if [ -e "$priv" ] || [ -e "$pub" ]; then
|
||
|
|
echo "error: $priv or $pub already exists. Refusing to overwrite." >&2
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
openssl genpkey -algorithm Ed25519 -out "$priv"
|
||
|
|
chmod 600 "$priv"
|
||
|
|
openssl pkey -in "$priv" -pubout -out "$pub"
|
||
|
|
chmod 644 "$pub"
|
||
|
|
|
||
|
|
echo "wrote: $priv"
|
||
|
|
echo "wrote: $pub"
|
||
|
|
echo
|
||
|
|
echo "To use in cloud:"
|
||
|
|
echo " set BF_FIRMWARE_SIGNING_KEY environment variable to the contents of $priv"
|
||
|
|
echo
|
||
|
|
echo "To use locally:"
|
||
|
|
echo " install $priv to /var/lib/betterframe/firmware-signing.key (mode 0600)"
|