Package signing.
This commit is contained in:
parent
6aecec2e75
commit
ec0c9b8a9f
20
.github/workflows/release.yml
vendored
20
.github/workflows/release.yml
vendored
|
@ -3,7 +3,7 @@ on:
|
|||
branches:
|
||||
- feature/pkg
|
||||
# tags:
|
||||
# - 'v[0-9]+.[0-9]+.[0-9]*'
|
||||
# - 'v*+'
|
||||
|
||||
name: Create release and upload binaries
|
||||
|
||||
|
@ -17,10 +17,26 @@ jobs:
|
|||
uses: actions/checkout@v2
|
||||
|
||||
- name: Build
|
||||
env:
|
||||
GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
|
||||
GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
|
||||
run: |
|
||||
pkg/arch/build.sh
|
||||
pushd pkg/arch
|
||||
# Create user
|
||||
useradd -m -g wheel -s /bin/bash build
|
||||
echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
||||
chown -R build:wheel .
|
||||
chown -R build:wheel $HOME
|
||||
|
||||
# Install makepkg deps
|
||||
pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
|
||||
|
||||
# Build
|
||||
su build --pty -s /bin/bash -c './build.sh'
|
||||
popd
|
||||
mkdir release
|
||||
mv pkg/arch/**/*.pkg.tar.zst* release
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v1
|
||||
with:
|
||||
|
|
29
keys/archseer.asc
Normal file
29
keys/archseer.asc
Normal file
|
@ -0,0 +1,29 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBF4WdPwBEAC2lQtBmmbStc6+ISlWYyfeAve2nSSl5y7f7RbbPcA62bMnpz8p
|
||||
o9goyvXyhJn74J0c6QOvjFZYqlgn9zFK2RJDZnAxbiXJAIO15xTIZTNmPKO9Ea/V
|
||||
hXx5Bqq4LbM2sTSmK13dlYHU1VpKUXOOPkx039lmIL/h0Rv5kncNdGp7Sv45pisE
|
||||
2p+5zU3waypMu7hzlUnlkXAmI1I9Etvj0HT5J8Ko5Ht4PJdcNt8qdzO5uLnd2bt8
|
||||
16C8+Kb+bIt/onbCbcRY46bKo5a2fRuXU4zf/v+jY0m6+lqCAexqYQwvjJNs8a6U
|
||||
m0lZWnq3qoLF6eoqSBWBiA/y1N3GmR+9sZYTaI0xqr2ZUZTD1sZSVnlTO3kwrlpC
|
||||
MF73r2MR2foT9g7cWNV6C1RKAffeb9Lyl8Pq6dgNZ7FvQWG3yjf4d8gDXdEA/MuY
|
||||
89BWSb8gpgPIRkA+ViL/y0ZcEbjBLuRGFtphyv+mQk4MqT9svuiRadsrQsOysO69
|
||||
V06LMT7YUIP8HJSLetfeEfSkBlaCWisiQv796HMXSq3OGxOB9zHHJWO0A/zWpZ3t
|
||||
3EGQUI1IN6zRHsKfXkr6lbzkVvolZsCsIgM2bxaJXoXMuFPs22vKB1Axkdwltg9c
|
||||
UwdG0PChf6iesMR8Xkier2G+XRI7pjn4pnhJIKLdBE+TtOH7GqFr/52dCwARAQAB
|
||||
tDlCbGHFviBIcmFzdG5payAoU3VyZmFjZSBMaW51eCBzaWduaW5nIGtleSkgPGJs
|
||||
YXpAbXh4bi5pbz6JAjcEEwEKACEFAl4WdPwCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
|
||||
HgECF4AACgkQW1dNG1E/mgVyvxAAhomDd7F+8NhbCSW1bHtfI1TQJBwZftYgVxIH
|
||||
or9Dk1kdBB7M8K+Y8FqKl1kt724odL4qZSNL7unTCk0h1+EtkQcAIy/DEHLwKD+z
|
||||
WEOJ1MDZpuvrdAWA9oeQeL8Uoo80HLI3y3R1QHM25gLuR/gpKwbe4JrIUhj6eRiB
|
||||
IBGXImypsLiEDx4bL/HuWc9BqF6BSExLoA0EgaIB+VaMFdX5qOS5hapXs8U5NEbp
|
||||
tLQHyw9RIfuteizSyJ0SB/grdbFa7APSj7n6tLz9C50C9pUzD0QAJn3l3qFVJxmz
|
||||
Shs6RV/w6BcwNlwH3bSL1r564i1X8cltzi1dh1ZAvLaumST3ijW9+Zdke3xusx+W
|
||||
cpZMou0o6zZl0FmboQzL0DYiT0aG4LCZYnlY1H7f5iKY5vlIf2l8kYDOLsJoORCt
|
||||
JbPSC/oizwYNqm1Zm7LH2kWnXl61/EpzKCFHzyQ5GfxikCF/siD1ywIcf8Kf9n4c
|
||||
LFR3kMOkKhJziZjRpfxwULS43YrGJPl2YBnyujDQzh9ujP5LuEHh5ZXaHUynkzRn
|
||||
lJUOD53kim98Syxq+bwksuUkDaUkOUBaHqHianNbv8dsTPgTdaiqOSR2qeldVz++
|
||||
/OQyVJeZDCxqyst1RZDbgWEohwKUk2hRo/xak/KLLniaH/qlHN5A0M4NaPr/vWAV
|
||||
FdqzOBU=
|
||||
=3pWH
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -5,20 +5,19 @@ set -euxo pipefail
|
|||
export PKGEXT='.pkg.tar.zst'
|
||||
export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
|
||||
|
||||
# Create user
|
||||
useradd -m -g wheel -s /bin/sh tester
|
||||
echo "nobody ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
||||
chown -R nobody:wheel .
|
||||
# Import GPG key
|
||||
echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
|
||||
export GPG_TTY=$(tty)
|
||||
|
||||
# Install makepkg deps
|
||||
pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
|
||||
|
||||
# Build the packages as `nobody' user
|
||||
# TODO: use --sign --key <key>
|
||||
pushd pkg/arch/surface
|
||||
su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
|
||||
# Build the packages as `build' user
|
||||
pushd surface
|
||||
makepkg -f --syncdeps --skippgpcheck --noconfirm
|
||||
# Sign as a separate step (makepkg -s needs pinentry)
|
||||
makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
|
||||
popd
|
||||
|
||||
pushd pkg/arch/kernel
|
||||
# su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
|
||||
pushd kernel
|
||||
makepkg -f --syncdeps --skippgpcheck --noconfirm
|
||||
# Sign as a separate step (makepkg -s needs pinentry)
|
||||
makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
|
||||
popd
|
||||
|
|
Loading…
Reference in a new issue