From 74355b128a8ea1f0defe630e53efb69717b016b9 Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 16 Jun 2021 13:24:25 +0200 Subject: [PATCH 1/3] Sign tarball in release using GPG --- .github/workflows/build.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3cf0cb845..62990ca23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,13 +52,14 @@ jobs: with: name: buildkit-win.zip path: target/buildkit-win.zip - + release: name: Draft a Release on GitHub Releases runs-on: ubuntu-latest needs: build if: startsWith(github.ref, 'refs/tags/') && github.repository == 'cryptomator/cryptomator' steps: + - uses: actions/checkout@v2 - name: Download buildkit-linux.zip uses: actions/download-artifact@v1 with: @@ -74,6 +75,17 @@ jobs: with: name: buildkit-win.zip path: . + - name: Create tarball + run: git archive --prefix="cryptomator-${{ github.ref }}/" -o ${{ github.ref }}.tar.gz ${{ github.ref }} + - name: Prepare GPG-Agent to sign tarball with key 615D449FE6E6A235 + run: | + echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import + echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign ${{ github.ref }}.tar.gz + env: + GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} + - name: Sign tarball + run: gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz - name: Create Release id: create_release uses: actions/create-release@v1 @@ -127,4 +139,13 @@ jobs: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: buildkit-win.zip asset_name: buildkit-win.zip - asset_content_type: application/zip \ No newline at end of file + asset_content_type: application/zip + - name: Upload tarball signature to GitHub Releases + uses: actions/upload-release-asset@v1.0.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ${{ github.ref }}.tar.gz.asc + asset_name: ${{ github.ref }}.tar.gz.asc + asset_content_type: application/octet-stream \ No newline at end of file From b15cda260e35ca7f6a9a0cf4fa94c07ead89439c Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 16 Jun 2021 12:13:49 +0000 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Sebastian Stenzel --- .github/workflows/build.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 62990ca23..0539bec21 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,15 +77,13 @@ jobs: path: . - name: Create tarball run: git archive --prefix="cryptomator-${{ github.ref }}/" -o ${{ github.ref }}.tar.gz ${{ github.ref }} - - name: Prepare GPG-Agent to sign tarball with key 615D449FE6E6A235 + - name: Sign tarball with key 615D449FE6E6A235 run: | echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import - echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign ${{ github.ref }}.tar.gz + echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz env: GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} - - name: Sign tarball - run: gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz - name: Create Release id: create_release uses: actions/create-release@v1 @@ -148,4 +146,4 @@ jobs: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: ${{ github.ref }}.tar.gz.asc asset_name: ${{ github.ref }}.tar.gz.asc - asset_content_type: application/octet-stream \ No newline at end of file + asset_content_type: application/octet-stream From 08cbfd47eaa7f086afd4bd3fa0574e699f07c7a6 Mon Sep 17 00:00:00 2001 From: Julian Raufelder Date: Wed, 16 Jun 2021 14:19:14 +0200 Subject: [PATCH 3/3] Prefix signature of tarball in release with cryptomator To apply convention of the other release assets --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0539bec21..21ef6aca2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,11 +76,11 @@ jobs: name: buildkit-win.zip path: . - name: Create tarball - run: git archive --prefix="cryptomator-${{ github.ref }}/" -o ${{ github.ref }}.tar.gz ${{ github.ref }} + run: git archive --prefix="cryptomator-${{ github.ref }}/" -o "cryptomator-${{ github.ref }}.tar.gz" ${{ github.ref }} - name: Sign tarball with key 615D449FE6E6A235 run: | echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import - echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz + echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a "cryptomator-${{ github.ref }}.tar.gz" env: GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} @@ -144,6 +144,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ${{ github.ref }}.tar.gz.asc - asset_name: ${{ github.ref }}.tar.gz.asc + asset_path: "cryptomator-${{ github.ref }}.tar.gz.asc" + asset_name: "cryptomator-${{ github.ref }}.tar.gz.asc" asset_content_type: application/octet-stream