From 74355b128a8ea1f0defe630e53efb69717b016b9 Mon Sep 17 00:00:00 2001
From: Julian Raufelder <Julian@Raufelder.com>
Date: Wed, 16 Jun 2021 13:24:25 +0200
Subject: [PATCH] Sign tarball in release using GPG

---
 .github/workflows/build.yml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3cf0cb845..62990ca23 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -52,13 +52,14 @@ jobs:
         with:
           name: buildkit-win.zip
           path: target/buildkit-win.zip
-          
+
   release:
     name: Draft a Release on GitHub Releases
     runs-on: ubuntu-latest
     needs: build
     if: startsWith(github.ref, 'refs/tags/') && github.repository == 'cryptomator/cryptomator'
     steps:
+      - uses: actions/checkout@v2
       - name: Download buildkit-linux.zip
         uses: actions/download-artifact@v1
         with:
@@ -74,6 +75,17 @@ jobs:
         with:
           name: buildkit-win.zip
           path: .
+      - name: Create tarball
+        run: git archive --prefix="cryptomator-${{ github.ref }}/" -o ${{ github.ref }}.tar.gz ${{ github.ref }}
+      - name: Prepare GPG-Agent to sign tarball with key 615D449FE6E6A235
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
+          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign ${{ github.ref }}.tar.gz
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+      - name: Sign tarball
+        run: gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a ${{ github.ref }}.tar.gz
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
@@ -127,4 +139,13 @@ jobs:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: buildkit-win.zip
           asset_name: buildkit-win.zip
-          asset_content_type: application/zip
\ No newline at end of file
+          asset_content_type: application/zip
+      - name: Upload tarball signature to GitHub Releases
+        uses: actions/upload-release-asset@v1.0.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ${{ github.ref }}.tar.gz.asc
+          asset_name: ${{ github.ref }}.tar.gz.asc
+          asset_content_type: application/octet-stream
\ No newline at end of file