From 60c54805146bb4b136fda59a435dc70fd2e8e051 Mon Sep 17 00:00:00 2001 From: Aleksandr Razumov Date: Sun, 2 Apr 2023 15:21:17 +0300 Subject: [PATCH] ci: add gpg signatures --- .github/workflows/release.yml | 15 +++++++++++++++ cmd/release/RELEASE.md.tmpl | 17 +++++++++++++++++ sign.sh | 17 +++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100755 sign.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ee9ea8c..95a2887 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,6 +27,15 @@ jobs: run: runs-on: ubuntu-latest steps: + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v5 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: List keys + run: gpg -K + - uses: actions/checkout@v3 - name: Install Go @@ -69,6 +78,9 @@ jobs: - name: Checksums run: ./checksums.sh + - name: Sign + run: ./sign.sh + - name: Release notes run: go run ./cmd/release > _out/release.md @@ -79,6 +91,9 @@ jobs: body_path: _out/release.md files: | _out/go-linux-riscv64-bootstrap.tbz + _out/go-linux-riscv64-bootstrap.tbz.asc _out/checksums.sha256.txt + _out/checksums.sha256.txt.asc _out/go${{ env.GOVERSION }}.linux-riscv64.tar.gz + _out/go${{ env.GOVERSION }}.linux-riscv64.tar.gz.asc _out/go${{ env.GOVERSION }}.src.tar.gz diff --git a/cmd/release/RELEASE.md.tmpl b/cmd/release/RELEASE.md.tmpl index 7c2845e..e929576 100644 --- a/cmd/release/RELEASE.md.tmpl +++ b/cmd/release/RELEASE.md.tmpl @@ -60,3 +60,20 @@ You can check it without creating new shell session: source /etc/profile.d/go.sh go version ``` + +#### Verify signature + +Import the public key: +```bash +gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '943040B9817AC4C7' +``` + +Download the signature: +```bash +wget "{{ .Archive.URL }}.sig" +``` + +Verify the signature: +```bash +gpg --batch --verify {{ .Archive.Name }}.sig {{ .Archive.Name }} +``` diff --git a/sign.sh b/sign.sh new file mode 100755 index 0000000..b075ac0 --- /dev/null +++ b/sign.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e +set -o pipefail + +ver="${GOVERSION:-1.20.2}" +archive="go${ver}.linux-riscv64.tar.gz" +bootstrap=go-linux-riscv64-bootstrap.tbz +src=go${ver}.src.tar.gz +sums=checksums.sha256.txt +key=943040B9817AC4C7 + +cd _out +for file in "${archive}" "${bootstrap}" "${src}" "${sums}"; do + gpg --batch --yes --default-key "${key}" --output "${file}.asc" --armor --detach-sig "${file}" + gpg --batch --default-key "${key}" --verify "${file}.asc" "${file}" +done