forgejo: sign RPM before deploying

.forgejo/bin/deploy.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # shellcheck disable=SC3040
 set -eu -o pipefail
@@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO
 readonly group="qubes/$QUBES_REL"
 readonly rpm=$(find . -name 'qubes-template-*.rpm')
 
+echo "Signing $rpm"
+gpg --import <<< $FORGE_REPO_PRIVKEY
+gpg --export -a > forge-repo.pub
+rpm --import forge-repo.pub
+
+cat << EOF > $HOME/.rpmmacros
+%_signature gpg
+%_gpg_path $HOME/.gnupg
+%_gpg_name RPM Registry
+%_gpgbin /usr/bin/gpg
+EOF
+
+rpm --addsign $rpm
+
 echo "Sending $rpm to $TARGET_REPO/$group/upload"
 curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload
 

.forgejo/workflows/release-build.yaml

@@ -48,6 +48,7 @@ jobs:
     env:
       CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm'
       FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }}
+      FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }}
       FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }}
     steps:
       - name: Setting up environment