From aa24df6e3cc3c547cbdbdef621728985e7468241 Mon Sep 17 00:00:00 2001
From: jkr0103 <jitender.kumar@intel.com>
Date: Fri, 29 Sep 2023 19:54:37 +0530
Subject: [PATCH] Add support for protected signing key

Signed-off-by: jkr0103 <jitender.kumar@intel.com>
---
 gsc.py                                     |  5 +----
 sign.sh                                    | 17 -----------------
 templates/Dockerfile.common.sign.template  | 12 +++++-------
 templates/centos/Dockerfile.build.template |  1 -
 templates/centos/Dockerfile.sign.template  |  1 -
 templates/debian/Dockerfile.build.template |  1 -
 templates/debian/Dockerfile.sign.template  |  1 -
 7 files changed, 6 insertions(+), 32 deletions(-)
 delete mode 100755 sign.sh

diff --git a/gsc.py b/gsc.py
index a585e254..2a00d0ca 100755
--- a/gsc.py
+++ b/gsc.py
@@ -381,12 +381,9 @@ def gsc_sign_image(args):
     with open(tmp_build_path / 'Dockerfile.sign', 'w') as dockerfile:
         dockerfile.write(sign_template.render(image=unsigned_image_name))
 
-    # copy user-provided signing key and signing Bash script to our tmp build dir (to copy them
-    # later inside Docker image)
+    # copy user-provided signing key to our tmp build dir (to copy it later inside Docker image)
     tmp_build_key_path = tmp_build_path / 'gsc-signer-key.pem'
-    tmp_build_sign_path = tmp_build_path / 'sign.sh'
     shutil.copyfile(os.path.abspath(args.key), tmp_build_key_path)
-    shutil.copy(os.path.abspath('sign.sh'), tmp_build_sign_path)
 
     try:
         # `forcerm` parameter forces removal of intermediate Docker images even after unsuccessful
diff --git a/sign.sh b/sign.sh
deleted file mode 100755
index d3e97c0a..00000000
--- a/sign.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/usr/bin/expect
-spawn gramine-sgx-sign \
-      --key [lindex $argv 0] \
-      --manifest [lindex $argv 1] \
-      --output [lindex $argv 2]
-
-set timeout -1
-set times 0
-set maxtimes 1
-expect "Enter pass phrase for [lindex $argv 0]" {
-    if {$times > $maxtimes} {
-        exit 0
-    }
-    send "[lindex $argv 3]\r"
-    set times [ expr $times + 1];
-    exp_continue
-}
diff --git a/templates/Dockerfile.common.sign.template b/templates/Dockerfile.common.sign.template
index 02942d5d..d5489abc 100644
--- a/templates/Dockerfile.common.sign.template
+++ b/templates/Dockerfile.common.sign.template
@@ -3,13 +3,11 @@ FROM {{image}} as unsigned_image
 COPY gsc-signer-key.pem /gramine/app_files/gsc-signer-key.pem
 
 ARG passphrase
-COPY sign.sh /gramine/app_files/sign.sh
-
-RUN {% block path %}{% endblock %} /gramine/app_files/sign.sh \
-      /gramine/app_files/gsc-signer-key.pem \
-      /gramine/app_files/entrypoint.manifest \
-      /gramine/app_files/entrypoint.manifest.sgx \
-      $passphrase
+RUN {% block path %}{% endblock %} gramine-sgx-sign \
+      --key /gramine/app_files/gsc-signer-key.pem \
+      --manifest /gramine/app_files/entrypoint.manifest \
+      --output /gramine/app_files/entrypoint.manifest.sgx \
+      --passphrase $passphrase
 
 # This trick removes all temporary files from the previous commands (including gsc-signer-key.pem
 # and passphrase)
diff --git a/templates/centos/Dockerfile.build.template b/templates/centos/Dockerfile.build.template
index 39eaf98c..0951f078 100644
--- a/templates/centos/Dockerfile.build.template
+++ b/templates/centos/Dockerfile.build.template
@@ -12,7 +12,6 @@ RUN dnf update -y \
     &&  dnf install -y \
         binutils \
         epel-release \
-        expect \
         openssl \
         protobuf-c-devel \
         python3 \
diff --git a/templates/centos/Dockerfile.sign.template b/templates/centos/Dockerfile.sign.template
index c5928882..84c1ee01 100644
--- a/templates/centos/Dockerfile.sign.template
+++ b/templates/centos/Dockerfile.sign.template
@@ -6,7 +6,6 @@ RUN \
           tomli tomli-w \
        && dnf remove -y binutils \
           epel-release \
-          expect \
           openssl \
           python3-protobuf \
           python3-pyelftools \
diff --git a/templates/debian/Dockerfile.build.template b/templates/debian/Dockerfile.build.template
index 8319d7e5..ee090874 100644
--- a/templates/debian/Dockerfile.build.template
+++ b/templates/debian/Dockerfile.build.template
@@ -8,7 +8,6 @@
 RUN apt-get update \
     && env DEBIAN_FRONTEND=noninteractive apt-get install -y \
         binutils \
-        expect \
         libprotobuf-c-dev \
         locales \
         openssl \
diff --git a/templates/debian/Dockerfile.sign.template b/templates/debian/Dockerfile.sign.template
index c93552bc..272c40f9 100644
--- a/templates/debian/Dockerfile.sign.template
+++ b/templates/debian/Dockerfile.sign.template
@@ -4,7 +4,6 @@
 {% set distro = Distro.split(':') %}
 RUN \
         apt-get remove -y binutils \
-        expect \
         openssl \
         python3-protobuf \
         python3-cryptography \