Package signing.
This commit is contained in:
parent
6aecec2e75
commit
ec0c9b8a9f
20
.github/workflows/release.yml
vendored
20
.github/workflows/release.yml
vendored
|
@ -3,7 +3,7 @@ on:
|
||||||
branches:
|
branches:
|
||||||
- feature/pkg
|
- feature/pkg
|
||||||
# tags:
|
# tags:
|
||||||
# - 'v[0-9]+.[0-9]+.[0-9]*'
|
# - 'v*+'
|
||||||
|
|
||||||
name: Create release and upload binaries
|
name: Create release and upload binaries
|
||||||
|
|
||||||
|
@ -17,10 +17,26 @@ jobs:
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
- name: Build
|
- name: Build
|
||||||
|
env:
|
||||||
|
GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
|
||||||
|
GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
|
||||||
run: |
|
run: |
|
||||||
pkg/arch/build.sh
|
pushd pkg/arch
|
||||||
|
# Create user
|
||||||
|
useradd -m -g wheel -s /bin/bash build
|
||||||
|
echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
||||||
|
chown -R build:wheel .
|
||||||
|
chown -R build:wheel $HOME
|
||||||
|
|
||||||
|
# Install makepkg deps
|
||||||
|
pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
|
||||||
|
|
||||||
|
# Build
|
||||||
|
su build --pty -s /bin/bash -c './build.sh'
|
||||||
|
popd
|
||||||
mkdir release
|
mkdir release
|
||||||
mv pkg/arch/**/*.pkg.tar.zst* release
|
mv pkg/arch/**/*.pkg.tar.zst* release
|
||||||
|
|
||||||
- name: Upload artifacts
|
- name: Upload artifacts
|
||||||
uses: actions/upload-artifact@v1
|
uses: actions/upload-artifact@v1
|
||||||
with:
|
with:
|
||||||
|
|
29
keys/archseer.asc
Normal file
29
keys/archseer.asc
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBF4WdPwBEAC2lQtBmmbStc6+ISlWYyfeAve2nSSl5y7f7RbbPcA62bMnpz8p
|
||||||
|
o9goyvXyhJn74J0c6QOvjFZYqlgn9zFK2RJDZnAxbiXJAIO15xTIZTNmPKO9Ea/V
|
||||||
|
hXx5Bqq4LbM2sTSmK13dlYHU1VpKUXOOPkx039lmIL/h0Rv5kncNdGp7Sv45pisE
|
||||||
|
2p+5zU3waypMu7hzlUnlkXAmI1I9Etvj0HT5J8Ko5Ht4PJdcNt8qdzO5uLnd2bt8
|
||||||
|
16C8+Kb+bIt/onbCbcRY46bKo5a2fRuXU4zf/v+jY0m6+lqCAexqYQwvjJNs8a6U
|
||||||
|
m0lZWnq3qoLF6eoqSBWBiA/y1N3GmR+9sZYTaI0xqr2ZUZTD1sZSVnlTO3kwrlpC
|
||||||
|
MF73r2MR2foT9g7cWNV6C1RKAffeb9Lyl8Pq6dgNZ7FvQWG3yjf4d8gDXdEA/MuY
|
||||||
|
89BWSb8gpgPIRkA+ViL/y0ZcEbjBLuRGFtphyv+mQk4MqT9svuiRadsrQsOysO69
|
||||||
|
V06LMT7YUIP8HJSLetfeEfSkBlaCWisiQv796HMXSq3OGxOB9zHHJWO0A/zWpZ3t
|
||||||
|
3EGQUI1IN6zRHsKfXkr6lbzkVvolZsCsIgM2bxaJXoXMuFPs22vKB1Axkdwltg9c
|
||||||
|
UwdG0PChf6iesMR8Xkier2G+XRI7pjn4pnhJIKLdBE+TtOH7GqFr/52dCwARAQAB
|
||||||
|
tDlCbGHFviBIcmFzdG5payAoU3VyZmFjZSBMaW51eCBzaWduaW5nIGtleSkgPGJs
|
||||||
|
YXpAbXh4bi5pbz6JAjcEEwEKACEFAl4WdPwCGwMFCwkIBwMFFQoJCAsFFgIDAQAC
|
||||||
|
HgECF4AACgkQW1dNG1E/mgVyvxAAhomDd7F+8NhbCSW1bHtfI1TQJBwZftYgVxIH
|
||||||
|
or9Dk1kdBB7M8K+Y8FqKl1kt724odL4qZSNL7unTCk0h1+EtkQcAIy/DEHLwKD+z
|
||||||
|
WEOJ1MDZpuvrdAWA9oeQeL8Uoo80HLI3y3R1QHM25gLuR/gpKwbe4JrIUhj6eRiB
|
||||||
|
IBGXImypsLiEDx4bL/HuWc9BqF6BSExLoA0EgaIB+VaMFdX5qOS5hapXs8U5NEbp
|
||||||
|
tLQHyw9RIfuteizSyJ0SB/grdbFa7APSj7n6tLz9C50C9pUzD0QAJn3l3qFVJxmz
|
||||||
|
Shs6RV/w6BcwNlwH3bSL1r564i1X8cltzi1dh1ZAvLaumST3ijW9+Zdke3xusx+W
|
||||||
|
cpZMou0o6zZl0FmboQzL0DYiT0aG4LCZYnlY1H7f5iKY5vlIf2l8kYDOLsJoORCt
|
||||||
|
JbPSC/oizwYNqm1Zm7LH2kWnXl61/EpzKCFHzyQ5GfxikCF/siD1ywIcf8Kf9n4c
|
||||||
|
LFR3kMOkKhJziZjRpfxwULS43YrGJPl2YBnyujDQzh9ujP5LuEHh5ZXaHUynkzRn
|
||||||
|
lJUOD53kim98Syxq+bwksuUkDaUkOUBaHqHianNbv8dsTPgTdaiqOSR2qeldVz++
|
||||||
|
/OQyVJeZDCxqyst1RZDbgWEohwKUk2hRo/xak/KLLniaH/qlHN5A0M4NaPr/vWAV
|
||||||
|
FdqzOBU=
|
||||||
|
=3pWH
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -5,20 +5,19 @@ set -euxo pipefail
|
||||||
export PKGEXT='.pkg.tar.zst'
|
export PKGEXT='.pkg.tar.zst'
|
||||||
export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
|
export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
|
||||||
|
|
||||||
# Create user
|
# Import GPG key
|
||||||
useradd -m -g wheel -s /bin/sh tester
|
echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
|
||||||
echo "nobody ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
export GPG_TTY=$(tty)
|
||||||
chown -R nobody:wheel .
|
|
||||||
|
|
||||||
# Install makepkg deps
|
# Build the packages as `build' user
|
||||||
pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
|
pushd surface
|
||||||
|
makepkg -f --syncdeps --skippgpcheck --noconfirm
|
||||||
# Build the packages as `nobody' user
|
# Sign as a separate step (makepkg -s needs pinentry)
|
||||||
# TODO: use --sign --key <key>
|
makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
|
||||||
pushd pkg/arch/surface
|
|
||||||
su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
pushd pkg/arch/kernel
|
pushd kernel
|
||||||
# su nobody -p -s /bin/bash -c 'makepkg -f --syncdeps --skippgpcheck --noconfirm'
|
makepkg -f --syncdeps --skippgpcheck --noconfirm
|
||||||
|
# Sign as a separate step (makepkg -s needs pinentry)
|
||||||
|
makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
|
||||||
popd
|
popd
|
||||||
|
|
Loading…
Reference in a new issue