GitHubのOpenID Connect ID プロバイダーのサムプリントの取得

thumbprint.sh

#!/bin/bash
set -eux
# GitHubのOpenID Connect ID プロバイダーのサムプリントの取得
# 参考URL
# https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
# https://qiita.com/minamijoyo/items/eac99e4b1ca0926c4310

PROVIDER_URL="https://token.actions.githubusercontent.com"
JWKS_URL=$(curl -s "$PROVIDER_URL/.well-known/openid-configuration" | jq -r .jwks_uri)
JWKS_DOMAIN=$(perl -E '$_="'$JWKS_URL'"; if(m!https://([^/]+)/!) { say $1 }')

echo 'Q' | openssl s_client -servername $JWKS_DOMAIN -showcerts -connect $JWKS_DOMAIN:443 2> /dev/null \
| perl -E 'my @certs=(); local $/; $_=<>; foreach(/(-----BEGIN CERTIFICATE-----\n.+?\n-----END CERTIFICATE-----\n)/sg) { push @certs,$1 }; print $certs[$#certs];' \
| openssl x509 -fingerprint -sha1 -noout \
| perl -E 'local $/; $_=<>; if(/Fingerprint=(.+)/) { $_=$1; s/://g; ; say lc($_); }'