From 32155a659fbd3d6a5818b6fb3ee46a54b32a334f Mon Sep 17 00:00:00 2001 From: Joel Natividad <1980690+jqnatividad@users.noreply.github.com> Date: Thu, 26 Oct 2023 07:45:06 -0400 Subject: [PATCH] sign prebuilt archives with zipsign for self-update verification --- .../workflows/macOS-arm64-selfhosted-publish.yml | 13 +++++++++++++ .github/workflows/publish.yml | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/macOS-arm64-selfhosted-publish.yml b/.github/workflows/macOS-arm64-selfhosted-publish.yml index c13116c6d..befdf75c1 100644 --- a/.github/workflows/macOS-arm64-selfhosted-publish.yml +++ b/.github/workflows/macOS-arm64-selfhosted-publish.yml @@ -94,6 +94,19 @@ jobs: cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README - name: zip up binaries run: 7zz a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on + - name: install zipsign + run: | + cargo install zipsign + - name: Fetch zipsign private key + uses: mobiledevops/secret-to-file-action@v1 + with: + base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }} + filename: "qsvpriv.key" + is-executable: false + working-directory: "." + - name: zipsign binary + run: | + zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key - name: Upload zipped binaries to release uses: svenstaro/upload-release-action@v2 with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 68cb897d6..2c2351100 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -196,6 +196,19 @@ jobs: cat docs/publishing_assets/README.txt docs/publishing_assets/qsv-${{ matrix.job.target }}.txt > qsv-${{ needs.analyze-tags.outputs.previous-tag }}/README - name: zip up binaries run: 7z a -tzip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip ./qsv-${{ needs.analyze-tags.outputs.previous-tag }}/* -mx=9 -mmt=on + - name: install zipsign + run: | + cargo install zipsign + - name: Fetch zipsign private key + uses: mobiledevops/secret-to-file-action@v1 + with: + base64-encoded-secret: ${{ secrets.QSV_ZIPSIGN_PRIV_KEY }} + filename: "qsvpriv.key" + is-executable: false + working-directory: "." + - name: zipsign binary + run: | + zipsign sign zip qsv-${{ needs.analyze-tags.outputs.previous-tag }}-${{ matrix.job.target }}.zip qsvpriv.key - name: Upload zipped binaries to release uses: svenstaro/upload-release-action@v2 with: