#!/usr/bin/env bash set -euo pipefail CA_URL="${CA_URL:-https://10.10.40.53}" CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}" FORCE="${FORCE:-0}" log() { printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*" } fail() { echo "ERROR: $*" >&2 exit 1 } need_cmd() { command -v "$1" >/dev/null 2>&1 } detect_os() { case "$(uname -s)" in Linux*) echo "linux" ;; Darwin*) echo "darwin" ;; MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;; *) echo "unknown" ;; esac } install_step() { if need_cmd step; then log "step CLI already installed" return fi case "$(detect_os)" in darwin) need_cmd brew || fail "Homebrew not found" log "Installing step with Homebrew" brew install step ;; linux) if need_cmd apt-get; then log "Installing step-cli with apt" sudo apt-get update sudo apt-get install -y --no-install-recommends curl gpg ca-certificates sudo mkdir -p /etc/apt/keyrings curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg | \ sudo tee /etc/apt/keyrings/smallstep.asc >/dev/null cat <<'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources >/dev/null Types: deb URIs: https://packages.smallstep.com/stable/debian Suites: debs Components: main Signed-By: /etc/apt/keyrings/smallstep.asc EOF sudo apt-get update sudo apt-get install -y step-cli elif need_cmd apk; then log "Installing step-cli with apk" sudo apk add --no-cache step-cli elif need_cmd dnf; then log "Installing step-cli with dnf" cat <<'EOF' | sudo tee /etc/yum.repos.d/smallstep.repo >/dev/null [smallstep] name=Smallstep baseurl=https://packages.smallstep.com/stable/fedora/ enabled=1 repo_gpgcheck=0 gpgcheck=1 gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg EOF sudo dnf makecache sudo dnf install -y step-cli elif need_cmd pacman; then log "Installing step-cli with pacman" sudo pacman -Sy --noconfirm step-cli if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then sudo ln -s /usr/bin/step-cli /usr/local/bin/step fi else fail "No supported package manager found" fi ;; *) fail "Unsupported OS" ;; esac need_cmd step || fail "step CLI installation failed" } bootstrap_step() { if [ "$FORCE" = "1" ]; then rm -rf "$HOME/.step" fi log "Bootstrapping against $CA_URL" step ca bootstrap \ --ca-url "$CA_URL" \ --fingerprint "$CA_FINGERPRINT" \ --install \ --force } install_linux_trust() { local root_cert="$HOME/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" if need_cmd update-ca-certificates; then sudo mkdir -p /usr/local/share/ca-certificates sudo cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt sudo update-ca-certificates return fi if need_cmd trust; then sudo trust anchor "$root_cert" return fi fail "Could not determine Linux trust-store tool" } install_macos_trust() { local root_cert="$HOME/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" sudo security add-trusted-cert \ -d \ -r trustRoot \ -k /Library/Keychains/System.keychain \ "$root_cert" } install_trust_store() { case "$(detect_os)" in linux) install_linux_trust ;; darwin) install_macos_trust ;; *) fail "Unsupported OS for trust-store installation" ;; esac } main() { install_step bootstrap_step install_trust_store log "Done" } main "$@"