diff --git a/bin/pkidb-browser b/bin/pkidb-browser index f44c0ed..22d713d 100755 --- a/bin/pkidb-browser +++ b/bin/pkidb-browser @@ -4,7 +4,6 @@ pkidb_browser() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-browser - Exclusively manage Browser CAs @@ -22,7 +21,7 @@ printf "%s\n" "${DOC:47:37}" >&2;exit 1;}';local varnames=(FINGERPRINT) varname for varname in "${varnames[@]}"; do unset "var_$varname";done;parse 1 "$@" local p=${DOCOPT_PREFIX:-''};for varname in "${varnames[@]}"; do unset \ "$p$varname";done;if declare -p var_FINGERPRINT >/dev/null 2>&1; then eval \ -$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval +$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval local docopt_i=1;[[ $BASH_VERSION =~ ^4.3 ]] && docopt_i=2;for \ ((;docopt_i>0;docopt_i--)); do for varname in "${varnames[@]}"; do declare -p \ "$p$varname";done;done;} diff --git a/bin/pkidb-ca b/bin/pkidb-ca index e20ec6c..bb75195 100755 --- a/bin/pkidb-ca +++ b/bin/pkidb-ca @@ -4,7 +4,6 @@ pkidb_ca() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-ca - Retrieve a CA certificate using the SHA-256 fingerprint diff --git a/bin/pkidb-client-krl b/bin/pkidb-client-krl index 5b48892..51a3577 100755 --- a/bin/pkidb-client-krl +++ b/bin/pkidb-client-krl @@ -4,7 +4,6 @@ pkidb_client_krl() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-client-krl - Retrieve a CMS signed KRL and verify it against CAs diff --git a/bin/pkidb-crl b/bin/pkidb-crl index 396635f..c3f1bd5 100755 --- a/bin/pkidb-crl +++ b/bin/pkidb-crl @@ -4,7 +4,6 @@ pkidb_crl() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-crl - Retrieve a CRL and verify it against CAs diff --git a/bin/pkidb-k8s-secrets b/bin/pkidb-k8s-secrets index 488d2d2..75fc870 100755 --- a/bin/pkidb-k8s-secrets +++ b/bin/pkidb-k8s-secrets @@ -4,7 +4,6 @@ pkidb_k8s_secrets() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-k8s-secrets - Retrieve CAs via fingerprint and create k8s secrets from them Usage: diff --git a/bin/pkidb-os b/bin/pkidb-os index b27528a..2084ef0 100755 --- a/bin/pkidb-os +++ b/bin/pkidb-os @@ -4,7 +4,6 @@ pkidb_os() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-os - Exclusively manage OS local CAs (/usr/local/share-ca-certificates) @@ -22,7 +21,7 @@ printf "%s\n" "${DOC:78:32}" >&2;exit 1;}';local varnames=(FINGERPRINT) varname for varname in "${varnames[@]}"; do unset "var_$varname";done;parse 1 "$@" local p=${DOCOPT_PREFIX:-''};for varname in "${varnames[@]}"; do unset \ "$p$varname";done;if declare -p var_FINGERPRINT >/dev/null 2>&1; then eval \ -$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval +$p'FINGERPRINT=("${var_FINGERPRINT[@]}")';else eval $p'FINGERPRINT=()';fi;eval local docopt_i=1;[[ $BASH_VERSION =~ ^4.3 ]] && docopt_i=2;for \ ((;docopt_i>0;docopt_i--)); do for varname in "${varnames[@]}"; do declare -p \ "$p$varname";done;done;} diff --git a/bin/pkidb-pam b/bin/pkidb-pam index bf5aa2b..8d9c898 100755 --- a/bin/pkidb-pam +++ b/bin/pkidb-pam @@ -4,7 +4,6 @@ pkidb_pam() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-pam - Exclusively manage PAM CAs and cache CRLs diff --git a/bin/pkidb-sshd b/bin/pkidb-sshd index 6484a25..eae1583 100755 --- a/bin/pkidb-sshd +++ b/bin/pkidb-sshd @@ -4,7 +4,6 @@ pkidb_sshd() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" DOC="pkidb-sshd - Manage client CAs for openssh-server and renew its hostkey diff --git a/bin/pkidb-step b/bin/pkidb-step index 871d1d5..9ce05f3 100755 --- a/bin/pkidb-step +++ b/bin/pkidb-step @@ -4,14 +4,13 @@ pkidb_step() { set -eo pipefail; shopt -s inherit_errexit local pkgroot; pkgroot=$(realpath "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/..") - PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin") source "$pkgroot/common.sh" check_all_deps [[ -n $STEP_ROOT_FP ]] || fatal "\$STEP_ROOT_FP is not defined" export STEP_URL STEP_URL=$(LOGLEVEL=warning "$pkgroot/bin/pkidb-ca" "$STEP_ROOT_FP" | get_subject_field "2.5.4.87" url) - exec step "$@" + exec "$pkgroot/.upkg/.bin/step" "$@" } pkidb_step "$@" diff --git a/bin/sign-dev-tls-cert b/bin/sign-dev-tls-cert index 00cbe53..b68eaf2 100755 --- a/bin/sign-dev-tls-cert +++ b/bin/sign-dev-tls-cert @@ -55,7 +55,7 @@ for varname in "${varnames[@]}"; do declare -p "$p$varname";done;done;} fi # shellcheck disable=2154 if [[ ! -e key.pem || ! -e bundle.pem ]] || $domains_changed || $__force_renewal || \ - STEP_SKIP_P11_KIT=true pkidb-step certificate needs-renewal --expires-in=100% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then + STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" certificate needs-renewal --expires-in=100% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then # Certificate does not exist or has expired, we must authenticate with a YubiKey export STEP_PIN_DESC="${FQDN} must be issued/renewed. To do that \`step\` needs to authenticate to step-ca with your YubiKey #%s" local domain san_opts=() @@ -63,10 +63,10 @@ for varname in "${varnames[@]}"; do declare -p "$p$varname";done;done;} [[ $domain = *.local ]] || fatal "The SAN '%s' must be a .local domain" "$domain" san_opts+=(--san "$domain") done - pkidb-step ca certificate "${san_opts[@]}" --force "$FQDN" bundle.pem key.pem - elif STEP_SKIP_P11_KIT=true pkidb-step certificate needs-renewal --expires-in=50% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then + "$pkgroot/bin/pkidb-step" ca certificate "${san_opts[@]}" --force "$FQDN" bundle.pem key.pem + elif STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" certificate needs-renewal --expires-in=50% bundle.pem 2>&1 | LOGPROGRAM=step pipe_info; then # Certificate is still valid. Renew without having to ask for YubiKey access. - STEP_SKIP_P11_KIT=true pkidb-step ca renew --force bundle.pem key.pem 2>&1 | LOGPROGRAM=step pipe_info + STEP_SKIP_P11_KIT=true "$pkgroot/bin/pkidb-step" ca renew --force bundle.pem key.pem 2>&1 | LOGPROGRAM=step pipe_info fi ) } diff --git a/common.sh b/common.sh index be325dd..0d37688 100644 --- a/common.sh +++ b/common.sh @@ -8,7 +8,7 @@ source "$pkgroot/.upkg/collections.sh/collections.sh" [[ -n "$PKIDBURL" ]] || fatal "\$PKIDBURL is not set, unable to continue." check_all_deps() { - checkdeps openssl curl + "$pkgroot/.upkg/.bin/checkdeps" openssl curl } get_ca_url() { diff --git a/k8s-secrets/Dockerfile b/k8s-secrets/Dockerfile index 0b2cd68..13092d5 100644 --- a/k8s-secrets/Dockerfile +++ b/k8s-secrets/Dockerfile @@ -11,9 +11,9 @@ RUN wget -q "https://dl.k8s.io/release/v1.27.4/bin/linux/amd64/kubectl" && \ WORKDIR /pkidb-tools COPY common.sh k8s-secrets/upkg.json /pkidb-tools/ COPY --chmod=0755 bin/pkidb-k8s-secrets bin/pkidb-ca /pkidb-tools/ -RUN bash -ec 'u=https://github.com/orbit-online/upkg/releases/download/v0.24.4/upkg-install.tar.gz;\ +RUN bash -ec 'u=https://github.com/orbit-online/upkg/releases/download/v0.26.3/upkg-install.tar.gz;\ t=$(mktemp); trap "rm \"$t\"" EXIT;wget -qO"$t" "$u" || curl -fsLo"$t" "$u";\ -shasum -a 256 -c <(echo "4398bebb91fbf9103b44ffb415e66bc3c7c99522cae27535b2050054869bfbb7 $t");\ +shasum -a 256 -c <(echo "ae99b32cd7cd97a8d102999c8c87bc40844bf9994925dd432b8c0347bb23dc46 $t");\ tar xzC /usr/local -f "$t"' ENTRYPOINT ["/pkidb-tools/pkidb-k8s-secrets"] diff --git a/upkg.json b/upkg.json index e601149..8fcb309 100644 --- a/upkg.json +++ b/upkg.json @@ -13,17 +13,13 @@ "tar": "https://github.com/orbit-online/collections.sh/releases/download/v1.0.0/collections.sh.tar.gz", "sha256": "ca741323c2bd77f547fa9aea41050d85dfc5f1ce3ff42f73b7a12f7c90b9be2e" }, - { - "tar": "https://github.com/orbit-online/path-tools/releases/download/v1.0.0/path-tools.tar.gz", - "sha256": "2ae2a98714aa81e2142b749dac9ecdb61e050e66bf8bd33aef0fccb2ce66c84b" - }, { "tar": "https://github.com/andsens/docopt.sh/releases/download/v2.0.1/docopt-lib.sh.tar.gz", "sha256": "539053da8b3063921b8889dbe752279e3a215d8fa3e2550d6521e094981f26a2" }, { - "tar": "https://github.com/orbit-online/smallstep-wrapper/releases/download/v3.0.3/smallstep-wrapper.tar.gz", - "sha256": "d99f510d8ae2d172b801e430aed1e12b71cfde5bd6f326cf670c1d148b2970c5" + "tar": "https://github.com/orbit-online/smallstep-wrapper/releases/download/v3.0.4/smallstep-wrapper.tar.gz", + "sha256": "cfe7381536227c06db3c8ddc8be9efd81166df2d5f2deec2dc239b37e743ee67" } ] }