Sign builds with GnuPG (#26)

TheAssassin · web-flow · commit 177b3204a237 · 2024-05-05T21:44:53.000+02:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -5,7 +5,7 @@ on:
     branches:    
       - 'main'
   pull_request:
-  
+
 # This ensures that jobs get canceled when force-pushing
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -49,6 +49,16 @@ jobs:
            sudo apt-get -y install qemu-user-static
            ./chroot_build.sh
 
+    - name: Sign
+      env:
+        SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      # skip signing if secret is not available (e.g., if run from a PR made by somebody outside of this repository)
+      if: ${{ env.SIGNING_KEY == '' }}
+      run: |
+        ./sign.sh out/runtime-*
+        # copy pubkey so that it's included with the files uploaded to the release page
+        cp signing-pubkey.asc out/
+
     - uses: actions/upload-artifact@v3
       with:
         name: artifacts
diff --git a/README.md b/README.md
@@ -25,3 +25,8 @@ export ARCHITECTURE=x86_64
 ```
 
 This whole process takes only a few seconds, e.g., on GitHub Codespaces.
+
+
+## Signing
+
+Release builds are signed automatically using GnuPG. The corresponding public key can be found in the file `signing-pubkey.asc`.
diff --git a/sign.sh b/sign.sh
@@ -0,0 +1,36 @@
+#! /bin/bash
+
+set -euo pipefail
+
+if [[ "${SIGNING_KEY:-}" == "" ]] || [[ ! -f "${1:-}" ]]; then
+    echo "Usage: env SIGNING_KEY=... $0 runtime-<arch>"
+    exit 2
+fi
+
+tmpdir="$(mktemp -d)"
+chmod 0700 "$tmpdir"
+
+cleanup() {
+    if [[ -d "$tmpdir" ]]; then
+        rm -rf "$tmpdir"
+    fi
+}
+
+trap cleanup EXIT
+
+export GNUPGHOME="$tmpdir"
+
+echo "=== importing key ==="
+echo -e "$SIGNING_KEY" | gpg2 --verbose --batch --import
+
+echo
+echo "=== listing available secret keys ==="
+gpg2 -K
+
+echo
+echo "=== signing $1 ==="
+gpg2 --verbose --batch --sign --detach -o "$1".sig "$1"
+
+echo
+echo "=== test-verifying signature ==="
+gpg2 --verbose --batch --verify "$1".sig "$1"
diff --git a/signing-pubkey.asc b/signing-pubkey.asc
@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZjaeexYJKwYBBAHaRw8BAQdAhvHdHoBweX0uVRgfcnlzexrSg+TAbK2mU1TA
+gi0TMC20NEFwcEltYWdlIHR5cGUgMiBydW50aW1lIDx0eXBlMi1ydW50aW1lQGFw
+cGltYWdlLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYh
+BFcMd6zqQMDxt1iQLL+WzKVkkPaVBQJmN7FgBQkSzRXlAAoJEL+WzKVkkPaVCXsA
+/0JxQPlr2AlKalt9LAGCXU633gBoXh8/sQQngGGWjhT2APoCls0XWL2qhx1jAIdr
+AqDmOi3bdzBOpWBBIsOexhbdBrg4BGY2nnsSCisGAQQBl1UBBQEBB0CRVIEEu+Ft
+W68O33iZCVDMIYUWdD59iXfQ7rHf8HxAEgMBCAeIfgQYFggAJhYhBFcMd6zqQMDx
+t1iQLL+WzKVkkPaVBQJmNp57AhsMBQkDwmcAAAoJEL+WzKVkkPaVY7oA/icTs/E6
+47LTon7ua021HdjQlwkHZOpa/hqBWQEB3w6GAQCbaPRxKcNN9Yfwxc6cIvfUORKz
++4OQzyesHV5P4fYLDw==
+=r/5H
+-----END PGP PUBLIC KEY BLOCK-----
