From c850a814989d94a65271c38cd4e95b0269d9519c Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Thu, 22 Aug 2024 16:13:07 -0400 Subject: [PATCH] forgejo: sign RPM before deploying --- .forgejo/bin/deploy.sh | 16 +++++++++++++++- .forgejo/workflows/release-build.yaml | 3 ++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.forgejo/bin/deploy.sh b/.forgejo/bin/deploy.sh index b9dee56..cdf97cb 100755 --- a/.forgejo/bin/deploy.sh +++ b/.forgejo/bin/deploy.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # shellcheck disable=SC3040 set -eu -o pipefail @@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO readonly group="qubes/$QUBES_REL" readonly rpm=$(find . -name 'qubes-template-*.rpm') +echo "Signing $rpm" +gpg --import <<< $FORGE_REPO_PRIVKEY +gpg --export -a > forge-repo.pub +rpm --import forge-repo.pub + +cat << EOF > $HOME/.rpmmacros +%_signature gpg +%_gpg_path $HOME/.gnupg +%_gpg_name RPM Registry +%_gpgbin /usr/bin/gpg +EOF + +rpm --addsign $rpm + echo "Sending $rpm to $TARGET_REPO/$group/upload" curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload diff --git a/.forgejo/workflows/release-build.yaml b/.forgejo/workflows/release-build.yaml index c968780..3648793 100644 --- a/.forgejo/workflows/release-build.yaml +++ b/.forgejo/workflows/release-build.yaml @@ -48,10 +48,11 @@ jobs: env: CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm' FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }} + FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }} FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }} steps: - name: Setting up environment - run: apk add nodejs curl findutils git gawk + run: apk add nodejs curl findutils git gawk bash rpm gpg gpg-agent - name: Repo pull uses: actions/checkout@v4 - name: Package download