forgejo: sign RPM before deploying

2024-08-22 15:04:45 -04:00 · 2024-08-22 15:04:45 -04:00 · d8369958c5
commit d8369958c5
parent 57cc5b49b3
2 changed files with 16 additions and 1 deletions
--- a/.forgejo/bin/deploy.sh
+++ b/.forgejo/bin/deploy.sh
@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash

 # shellcheck disable=SC3040
 set -eu -o pipefail
@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO
 readonly group="qubes/$QUBES_REL"
 readonly rpm=$(find . -name 'qubes-template-*.rpm')

+echo "Signing $rpm"
+gpg --import <<< $FORGE_REPO_PRIVKEY
+gpg --export -a > forge-repo.pub
+rpm --import forge-repo.pub
+
+cat << EOF > $HOME/.rpmmacros
+%_signature gpg
+%_gpg_path $HOME/.gnupg
+%_gpg_name RPM Registry
+%_gpgbin /usr/bin/gpg
+EOF
+
+rpm --addsign $rpm
+
 echo "Sending $rpm to $TARGET_REPO/$group/upload"
 curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload

--- a/.forgejo/workflows/release-build.yaml
+++ b/.forgejo/workflows/release-build.yaml
@ -48,6 +48,7 @@ jobs:
    env:
      CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm'
      FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }}
+      FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }}
      FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }}
    steps:
      - name: Setting up environment