Knowit/AutoACCT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6f9530b5f4afb1a3789220d8c2a67bbfcb8d105
AutoACCT/scripts/decrypt-key.sh
Knowit 56003b7f69 secrets: ship encrypted SA key, switch install to git-clone + decrypt 
- secrets/bookkeeping-sa.json.enc: team service-account key, encrypted with
  AES-256-CBC + PBKDF2(100k iter) using a 48-char random passphrase. Safe to
  commit to a public repo; the passphrase lives in the team password manager.
- scripts/decrypt-key.sh: one-liner that decrypts to ~/.config/gcp/ (mode 600)
  and prints the service-account email so users know which address to share
  their Sheet with.
- secrets/README.md: explains the crypto, decrypt flow, and rotation
  procedures (passphrase rotation vs underlying GCP key rotation).
- README + DEPLOY.md + setup.md: install flow updated. Users no longer wait
  for the admin to send a JSON; they git clone, run decrypt-key.sh with the
  passphrase from the team password manager, and continue. Cuts one
  out-of-band file transfer from the user experience.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 11:24:48 +08:00

36 lines
1.1 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# decrypt-key.sh — decrypt the bundled service-account key into
# ~/.config/gcp/bookkeeping-sa.json. You'll be prompted for the passphrase
# (ask your admin; it's stored in the team password manager).
#
# Usage:
# bash scripts/decrypt-key.sh
#
# Idempotent: re-running overwrites the existing decrypted file.
set -euo pipefail
REPO_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
SRC="$REPO_DIR/secrets/bookkeeping-sa.json.enc"
DEST_DIR="$HOME/.config/gcp"
DEST="$DEST_DIR/bookkeeping-sa.json"
if [[ ! -f "$SRC" ]]; then
echo "error: encrypted key not found at $SRC" >&2
exit 1
fi
mkdir -p "$DEST_DIR"
# AES-256-CBC + PBKDF2 (100k iter) + salt. Passphrase read interactively.
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -d -in "$SRC" -out "$DEST"
chmod 600 "$DEST"
echo "Decrypted to $DEST"
SA_EMAIL=$(python3 -c "import json; print(json.load(open('$DEST'))['client_email'])" 2>/dev/null || true)
if [[ -n "$SA_EMAIL" ]]; then
echo ""
echo "Service-account email: $SA_EMAIL"
echo "Next step: share your Google Sheet with this email (Editor)."
fi
Reference in New Issue View Git Blame Copy Permalink