Package signing.

.github/workflows/release.yml

@@ -3,7 +3,7 @@ on:
    branches:
       - feature/pkg
     # tags:
-    # - 'v[0-9]+.[0-9]+.[0-9]*'
+    # - 'v*+'
 
 name: Create release and upload binaries
 
@@ -17,10 +17,26 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Build
+        env:
+          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
         run: |
-          pkg/arch/build.sh
+          pushd pkg/arch
+          # Create user
+          useradd -m -g wheel -s /bin/bash build
+          echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+          chown -R build:wheel .
+          chown -R build:wheel $HOME
+
+          # Install makepkg deps
+          pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
+
+          # Build
+          su build --pty -s /bin/bash -c './build.sh'
+          popd
           mkdir release
           mv pkg/arch/**/*.pkg.tar.zst* release
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v1
         with:

keys/archseer.asc

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF4WdPwBEAC2lQtBmmbStc6+ISlWYyfeAve2nSSl5y7f7RbbPcA62bMnpz8p
+o9goyvXyhJn74J0c6QOvjFZYqlgn9zFK2RJDZnAxbiXJAIO15xTIZTNmPKO9Ea/V
+hXx5Bqq4LbM2sTSmK13dlYHU1VpKUXOOPkx039lmIL/h0Rv5kncNdGp7Sv45pisE
+2p+5zU3waypMu7hzlUnlkXAmI1I9Etvj0HT5J8Ko5Ht4PJdcNt8qdzO5uLnd2bt8
+16C8+Kb+bIt/onbCbcRY46bKo5a2fRuXU4zf/v+jY0m6+lqCAexqYQwvjJNs8a6U
+m0lZWnq3qoLF6eoqSBWBiA/y1N3GmR+9sZYTaI0xqr2ZUZTD1sZSVnlTO3kwrlpC
+MF73r2MR2foT9g7cWNV6C1RKAffeb9Lyl8Pq6dgNZ7FvQWG3yjf4d8gDXdEA/MuY
+89BWSb8gpgPIRkA+ViL/y0ZcEbjBLuRGFtphyv+mQk4MqT9svuiRadsrQsOysO69
+V06LMT7YUIP8HJSLetfeEfSkBlaCWisiQv796HMXSq3OGxOB9zHHJWO0A/zWpZ3t
+3EGQUI1IN6zRHsKfXkr6lbzkVvolZsCsIgM2bxaJXoXMuFPs22vKB1Axkdwltg9c
+UwdG0PChf6iesMR8Xkier2G+XRI7pjn4pnhJIKLdBE+TtOH7GqFr/52dCwARAQAB
+tDlCbGHFviBIcmFzdG5payAoU3VyZmFjZSBMaW51eCBzaWduaW5nIGtleSkgPGJs
+YXpAbXh4bi5pbz6JAjcEEwEKACEFAl4WdPwCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
+HgECF4AACgkQW1dNG1E/mgVyvxAAhomDd7F+8NhbCSW1bHtfI1TQJBwZftYgVxIH
+or9Dk1kdBB7M8K+Y8FqKl1kt724odL4qZSNL7unTCk0h1+EtkQcAIy/DEHLwKD+z
+WEOJ1MDZpuvrdAWA9oeQeL8Uoo80HLI3y3R1QHM25gLuR/gpKwbe4JrIUhj6eRiB
+IBGXImypsLiEDx4bL/HuWc9BqF6BSExLoA0EgaIB+VaMFdX5qOS5hapXs8U5NEbp
+tLQHyw9RIfuteizSyJ0SB/grdbFa7APSj7n6tLz9C50C9pUzD0QAJn3l3qFVJxmz
+Shs6RV/w6BcwNlwH3bSL1r564i1X8cltzi1dh1ZAvLaumST3ijW9+Zdke3xusx+W
+cpZMou0o6zZl0FmboQzL0DYiT0aG4LCZYnlY1H7f5iKY5vlIf2l8kYDOLsJoORCt
+JbPSC/oizwYNqm1Zm7LH2kWnXl61/EpzKCFHzyQ5GfxikCF/siD1ywIcf8Kf9n4c
+LFR3kMOkKhJziZjRpfxwULS43YrGJPl2YBnyujDQzh9ujP5LuEHh5ZXaHUynkzRn
+lJUOD53kim98Syxq+bwksuUkDaUkOUBaHqHianNbv8dsTPgTdaiqOSR2qeldVz++
+/OQyVJeZDCxqyst1RZDbgWEohwKUk2hRo/xak/KLLniaH/qlHN5A0M4NaPr/vWAV
+FdqzOBU=
+=3pWH
+-----END PGP PUBLIC KEY BLOCK-----

pkg/arch/build.sh

@@ -5,20 +5,19 @@ set -euxo pipefail
 export PKGEXT='.pkg.tar.zst'
 export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
 
-# Create user
-useradd -m -g wheel -s /bin/sh tester
-echo "nobody ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-chown -R nobody:wheel .
+# Import GPG key
+echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+export GPG_TTY=$(tty)
 
-# Install makepkg deps
-pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
-
-# Build the packages as `nobody' user
-# TODO: use --sign --key <key>
-pushd pkg/arch/surface
-su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
+# Build the packages as `build' user
+pushd surface
+makepkg -f --syncdeps --skippgpcheck --noconfirm
+# Sign as a separate step (makepkg -s needs pinentry)
+makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd
 
-pushd pkg/arch/kernel
-# su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
+pushd kernel
+makepkg -f --syncdeps --skippgpcheck --noconfirm
+# Sign as a separate step (makepkg -s needs pinentry)
+makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd