actions/cargo-binstall
1
0
Fork 0
mirror of https://github.com/cargo-bins/cargo-binstall.git synced 2025-05-02 18:20:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Doc: Provide solutions for common problems encountered during signing (#1383)

Browse source 
* Doc: Provide solutions for common problems encountered during signing

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>

* Apply suggestions from code review

Co-authored-by: Félix Saparelli <felix@passcod.name>

---------

Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
Co-authored-by: Félix Saparelli <felix@passcod.name>
This commit is contained in:
Jiahao XU 2023-09-23 23:13:23 +10:00 committed by GitHub
parent 2db8e254bc
commit 190ef7b8e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

35
SIGNING.md
View file

@ -42,6 +42,41 @@ Upload both your package and the matching `.sig`.
Now when binstall downloads your packages, it will also download the `.sig` file and use the `pubkey` in the Cargo.toml to verify the signature. Now when binstall downloads your packages, it will also download the `.sig` file and use the `pubkey` in the Cargo.toml to verify the signature.
If the signature has a trusted comment, it will print it at install time. If the signature has a trusted comment, it will print it at install time.
`minisign` and `rsign2` by default prompt for a password when generating a keypair and signing, which can hinder automation.
You can:
- Pass `-W` to `minisign` or `rsign2` to generate a password-less private key.
NOTE that you also need to pass this when signing.
- When signing using `minisign`, it reads from stdin for password so you could use
shell redirect to pass the password.
- Use [`expect`] to pass password to `rsign2` (since it reads `/dev/tty` for password):
For generating private key:
```bash
expect <<EXP
spawn rsign generate -f -p minisign.pub -s minisign.key
expect "Password:"
send -- "$SIGNING_KEY_SECRET\r"
expect "Password (one more time):"
send -- "$SIGNING_KEY_SECRET\r"
expect eof
EXP
```
For signing:
```bash
expect <<EXP
spawn rsign sign -s minisign.key -x "$file.sig" -t "$comment" "$file"
expect "Password:"
send -- "$SIGNING_KEY_SECRET\r"
expect eof
EXP
```
For just-in-time or "keyless" schemes, securely generating and passing the ephemeral key to other jobs or workflows presents subtle issues.
`cargo-binstall` has an implementation in [its own release process][`release.yml`] that you can use as example.
[`expect`]: https://linux.die.net/man/1/expect
[`release.yml`]: https://github.com/cargo-bins/cargo-binstall/blob/main/.github/workflows/release.yml
## Reference ## Reference
- `algorithm`: required, see below. - `algorithm`: required, see below.