Sign tarball in release using GPG

2026-05-14 08:41:28 +00:00 · 2021-06-16 13:24:25 +02:00
parent 364d59fdf7
commit 74355b128a
1 changed files with 23 additions and 2 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -52,13 +52,14 @@ jobs:
        with:
          name: buildkit-win.zip
          path: target/buildkit-win.zip
-          
+
  release:
    name: Draft a Release on GitHub Releases
    runs-on: ubuntu-latest
    needs: build
    if: startsWith(github.ref, 'refs/tags/') && github.repository == 'cryptomator/cryptomator'
    steps:
+      - uses: actions/checkout@v2
      - name: Download buildkit-linux.zip
        uses: actions/download-artifact@v1
        with:
@@ -74,6 +75,17 @@ jobs:
        with:
          name: buildkit-win.zip
          path: .
+      - name: Create tarball
+        run: git archive --prefix="cryptomator-${{ github.ref }}/" -o ${{ github.ref }}.tar.gz ${{ github.ref }}
+      - name: Prepare GPG-Agent to sign tarball with key 615D449FE6E6A235
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
+          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign ${{ github.ref }}.tar.gz
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+      - name: Sign tarball
+        run: gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
@@ -127,4 +139,13 @@ jobs:
          upload_url: ${{ steps.create_release.outputs.upload_url }}
          asset_path: buildkit-win.zip
          asset_name: buildkit-win.zip
-          asset_content_type: application/zip
+          asset_content_type: application/zip
+      - name: Upload tarball signature to GitHub Releases
+        uses: actions/upload-release-asset@v1.0.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ${{ github.ref }}.tar.gz.asc
+          asset_name: ${{ github.ref }}.tar.gz.asc
+          asset_content_type: application/octet-stream