From ec0c9b8a9f8c1c8a72c0c8922649450c7a903639 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bla=C5=BE=20Hrastnik?= Date: Thu, 9 Jan 2020 09:42:47 +0900 Subject: [PATCH] Package signing. --- .github/workflows/release.yml | 20 ++++++++++++++++++-- keys/archseer.asc | 29 +++++++++++++++++++++++++++++ pkg/arch/build.sh | 25 ++++++++++++------------- 3 files changed, 59 insertions(+), 15 deletions(-) create mode 100644 keys/archseer.asc diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 833536c40..6cc7c19db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ on: branches: - feature/pkg # tags: - # - 'v[0-9]+.[0-9]+.[0-9]*' + # - 'v*+' name: Create release and upload binaries @@ -17,10 +17,26 @@ jobs: uses: actions/checkout@v2 - name: Build + env: + GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }} + GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }} run: | - pkg/arch/build.sh + pushd pkg/arch + # Create user + useradd -m -g wheel -s /bin/bash build + echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers + chown -R build:wheel . + chown -R build:wheel $HOME + + # Install makepkg deps + pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm + + # Build + su build --pty -s /bin/bash -c './build.sh' + popd mkdir release mv pkg/arch/**/*.pkg.tar.zst* release + - name: Upload artifacts uses: actions/upload-artifact@v1 with: diff --git a/keys/archseer.asc b/keys/archseer.asc new file mode 100644 index 000000000..5a2cc33ca --- /dev/null +++ b/keys/archseer.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF4WdPwBEAC2lQtBmmbStc6+ISlWYyfeAve2nSSl5y7f7RbbPcA62bMnpz8p +o9goyvXyhJn74J0c6QOvjFZYqlgn9zFK2RJDZnAxbiXJAIO15xTIZTNmPKO9Ea/V +hXx5Bqq4LbM2sTSmK13dlYHU1VpKUXOOPkx039lmIL/h0Rv5kncNdGp7Sv45pisE +2p+5zU3waypMu7hzlUnlkXAmI1I9Etvj0HT5J8Ko5Ht4PJdcNt8qdzO5uLnd2bt8 +16C8+Kb+bIt/onbCbcRY46bKo5a2fRuXU4zf/v+jY0m6+lqCAexqYQwvjJNs8a6U +m0lZWnq3qoLF6eoqSBWBiA/y1N3GmR+9sZYTaI0xqr2ZUZTD1sZSVnlTO3kwrlpC +MF73r2MR2foT9g7cWNV6C1RKAffeb9Lyl8Pq6dgNZ7FvQWG3yjf4d8gDXdEA/MuY +89BWSb8gpgPIRkA+ViL/y0ZcEbjBLuRGFtphyv+mQk4MqT9svuiRadsrQsOysO69 +V06LMT7YUIP8HJSLetfeEfSkBlaCWisiQv796HMXSq3OGxOB9zHHJWO0A/zWpZ3t +3EGQUI1IN6zRHsKfXkr6lbzkVvolZsCsIgM2bxaJXoXMuFPs22vKB1Axkdwltg9c +UwdG0PChf6iesMR8Xkier2G+XRI7pjn4pnhJIKLdBE+TtOH7GqFr/52dCwARAQAB +tDlCbGHFviBIcmFzdG5payAoU3VyZmFjZSBMaW51eCBzaWduaW5nIGtleSkgPGJs +YXpAbXh4bi5pbz6JAjcEEwEKACEFAl4WdPwCGwMFCwkIBwMFFQoJCAsFFgIDAQAC +HgECF4AACgkQW1dNG1E/mgVyvxAAhomDd7F+8NhbCSW1bHtfI1TQJBwZftYgVxIH +or9Dk1kdBB7M8K+Y8FqKl1kt724odL4qZSNL7unTCk0h1+EtkQcAIy/DEHLwKD+z +WEOJ1MDZpuvrdAWA9oeQeL8Uoo80HLI3y3R1QHM25gLuR/gpKwbe4JrIUhj6eRiB +IBGXImypsLiEDx4bL/HuWc9BqF6BSExLoA0EgaIB+VaMFdX5qOS5hapXs8U5NEbp +tLQHyw9RIfuteizSyJ0SB/grdbFa7APSj7n6tLz9C50C9pUzD0QAJn3l3qFVJxmz +Shs6RV/w6BcwNlwH3bSL1r564i1X8cltzi1dh1ZAvLaumST3ijW9+Zdke3xusx+W +cpZMou0o6zZl0FmboQzL0DYiT0aG4LCZYnlY1H7f5iKY5vlIf2l8kYDOLsJoORCt +JbPSC/oizwYNqm1Zm7LH2kWnXl61/EpzKCFHzyQ5GfxikCF/siD1ywIcf8Kf9n4c +LFR3kMOkKhJziZjRpfxwULS43YrGJPl2YBnyujDQzh9ujP5LuEHh5ZXaHUynkzRn +lJUOD53kim98Syxq+bwksuUkDaUkOUBaHqHianNbv8dsTPgTdaiqOSR2qeldVz++ +/OQyVJeZDCxqyst1RZDbgWEohwKUk2hRo/xak/KLLniaH/qlHN5A0M4NaPr/vWAV +FdqzOBU= +=3pWH +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkg/arch/build.sh b/pkg/arch/build.sh index 26883be0c..e6e8644ad 100755 --- a/pkg/arch/build.sh +++ b/pkg/arch/build.sh @@ -5,20 +5,19 @@ set -euxo pipefail export PKGEXT='.pkg.tar.zst' export COMPRESSZST=(zstd -c -T0 --ultra -20 -) -# Create user -useradd -m -g wheel -s /bin/sh tester -echo "nobody ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers -chown -R nobody:wheel . +# Import GPG key +echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes +export GPG_TTY=$(tty) -# Install makepkg deps -pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm - -# Build the packages as `nobody' user -# TODO: use --sign --key -pushd pkg/arch/surface -su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm' +# Build the packages as `build' user +pushd surface +makepkg -f --syncdeps --skippgpcheck --noconfirm +# Sign as a separate step (makepkg -s needs pinentry) +makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05 popd -pushd pkg/arch/kernel -# su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm' +pushd kernel +makepkg -f --syncdeps --skippgpcheck --noconfirm +# Sign as a separate step (makepkg -s needs pinentry) +makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05 popd