sign.sh

#!/bin/sh

set -e

if [ $# -ne 2 -o "-h" = "$1" -o "--help" = "$1" -o ! -r "$1" -o ! -r "$2" ]; then
	cat <<EOHELP
Usage: $0 <secret> <manifest>

sign.sh adds lines to a manifest to indicate the approval
of the integrity of the firmware as required for automated
updates. The first argument <secret> references a file harboring
the private key of a public-private key pair of a developer
that referenced by its public key in the site configuration.
The script may be performed multiple times to the same document
to indicate an approval by multiple developers.

See also
 * edcsautils on https://github.com/tcatm/ecdsautils

EOHELP
	exit 1
fi

SECRET="$1"

manifest="$2"
upper="$(mktemp)"
lower="$(mktemp)"

trap 'echo rm -f "$upper" "$lower"; rm -f "$upper" "$lower"' EXIT

awk 'BEGIN    { sep=0 }
     /^---$/ { sep=1; next }
              { if(sep==0) print > "'"$upper"'";
                else       print > "'"$lower"'"}' \
    "$manifest"

ecdsasign "$upper" < "$SECRET" >> "$lower"

(
	cat  "$upper"
	echo ---
	cat  "$lower"
) > "$manifest"