From d8369958c553e5be049dc45e012a2f1cd9876d79 Mon Sep 17 00:00:00 2001
From: Antoine Martin <dev@ayakael.net>
Date: Thu, 22 Aug 2024 15:04:45 -0400
Subject: [PATCH] forgejo: sign RPM before deploying

---
 .forgejo/bin/deploy.sh                | 16 +++++++++++++++-
 .forgejo/workflows/release-build.yaml |  1 +
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/.forgejo/bin/deploy.sh b/.forgejo/bin/deploy.sh
index b9dee56..cdf97cb 100755
--- a/.forgejo/bin/deploy.sh
+++ b/.forgejo/bin/deploy.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # shellcheck disable=SC3040
 set -eu -o pipefail
@@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO
 readonly group="qubes/$QUBES_REL"
 readonly rpm=$(find . -name 'qubes-template-*.rpm')
 
+echo "Signing $rpm"
+gpg --import <<< $FORGE_REPO_PRIVKEY
+gpg --export -a > forge-repo.pub
+rpm --import forge-repo.pub
+
+cat << EOF > $HOME/.rpmmacros
+%_signature gpg
+%_gpg_path $HOME/.gnupg
+%_gpg_name RPM Registry
+%_gpgbin /usr/bin/gpg
+EOF
+
+rpm --addsign $rpm
+
 echo "Sending $rpm to $TARGET_REPO/$group/upload"
 curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload
 
diff --git a/.forgejo/workflows/release-build.yaml b/.forgejo/workflows/release-build.yaml
index c968780..d776530 100644
--- a/.forgejo/workflows/release-build.yaml
+++ b/.forgejo/workflows/release-build.yaml
@@ -48,6 +48,7 @@ jobs:
     env:
       CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm'
       FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }}
+      FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }}
       FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }}
     steps:
       - name: Setting up environment