From 5d4333d5c8eb39abb27ce8400e5803eafe73dd0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Saparelli?= <felix@passcod.name>
Date: Wed, 27 Sep 2023 00:17:17 +1300
Subject: [PATCH] Fix release build again (#1400)
* Fix build again
* Recommend (r)age over minisign password
* Dry-run the entire release process
* Reorg a bit so dry-run works
* Fix secret name
* Add check on age key
* Pass secrets down
* Use a cross-platform "date"
* Delete signing key artifact to be extra safe
* Last little bits
---
.github/scripts/ephemeral-crate.sh | 12 ++
.github/scripts/ephemeral-gen.sh | 13 +--
.github/scripts/ephemeral-sign.sh | 10 +-
.github/workflows/ci.yml | 14 ++-
.github/workflows/release-cli.yml | 108 ++++++++++++++++++
...release-build.yml => release-packages.yml} | 78 +++++--------
.github/workflows/release.yml | 50 ++------
SIGNING.md | 44 +++----
8 files changed, 189 insertions(+), 140 deletions(-)
create mode 100755 .github/scripts/ephemeral-crate.sh
create mode 100644 .github/workflows/release-cli.yml
rename .github/workflows/{release-build.yml => release-packages.yml} (76%)
diff --git a/.github/scripts/ephemeral-crate.sh b/.github/scripts/ephemeral-crate.sh
new file mode 100755
index 00000000..3636ca71
--- /dev/null
+++ b/.github/scripts/ephemeral-crate.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cat >> crates/bin/Cargo.toml <<EOF
+[package.metadata.binstall.signing]
+algorithm = "minisign"
+pubkey = "$(tail -n1 minisign.pub)"
+EOF
+
+cp minisign.pub crates/bin/minisign.pub
+
diff --git a/.github/scripts/ephemeral-gen.sh b/.github/scripts/ephemeral-gen.sh
index 806cf02c..fc1e58d6 100755
--- a/.github/scripts/ephemeral-gen.sh
+++ b/.github/scripts/ephemeral-gen.sh
@@ -2,21 +2,12 @@
set -euxo pipefail
-cargo binstall -y rsign2
+cargo binstall -y rsign2 rage
rsign generate -f -W -p minisign.pub -s minisign.key
-cat >> crates/bin/Cargo.toml <<EOF
-[package.metadata.binstall.signing]
-algorithm = "minisign"
-pubkey = "$(tail -n1 minisign.pub)"
-EOF
-
-echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
-cp minisign.pub crates/bin/minisign.pub
-
set +x
echo "::add-mask::$(tail -n1 minisign.key)"
-echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
set -x
+rage --encrypt --recipient "$AGE_KEY_PUBLIC" --output minisign.key.age minisign.key
rm minisign.key
diff --git a/.github/scripts/ephemeral-sign.sh b/.github/scripts/ephemeral-sign.sh
index a657c915..ef458e58 100755
--- a/.github/scripts/ephemeral-sign.sh
+++ b/.github/scripts/ephemeral-sign.sh
@@ -2,14 +2,15 @@
set -euo pipefail
-echo "untrusted comment: rsign encrypted secret key" > minisign.key
-cat >> minisign.key <<< "$SIGNING_KEY"
+[[ -z "$AGE_KEY_SECRET" ]] && { echo "!!! Empty age key secret !!!"; exit 1; }
+cat >> age.key <<< "$AGE_KEY_SECRET"
set -x
-cargo binstall -y rsign2
+cargo binstall -y rsign2 rage
+rage --decrypt --identity age.key --output minisign.key minisign.key.age
-ts=$(date --utc --iso-8601=seconds)
+ts=$(node -e 'console.log((new Date).toISOString())')
git=$(git rev-parse HEAD)
comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
@@ -17,3 +18,4 @@ for file in "$@"; do
rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
done
+rm age.key minisign.key
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0c10c8f3..dd31ba61 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -125,9 +125,17 @@ jobs:
- run: just avoid-dev-deps
- run: just lint
- release-builds:
- uses: ./.github/workflows/release-build.yml
+ release-dry-run:
+ uses: ./.github/workflows/release-cli.yml
+ secrets: inherit
with:
+ info: |
+ {
+ "is-release": false,
+ "crate": "cargo-binstall",
+ "version": "0.0.0",
+ "notes": ""
+ }
CARGO_PROFILE_RELEASE_LTO: no
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 4
@@ -179,7 +187,7 @@ jobs:
- test
- cross-check
- lint
- - release-builds
+ - release-dry-run
- detect-targets-alpine-test
- detect-targets-ubuntu-test
if: always() # always run even if dependencies fail
diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
new file mode 100644
index 00000000..bec98814
--- /dev/null
+++ b/.github/workflows/release-cli.yml
@@ -0,0 +1,108 @@
+name: Release CLI
+on:
+ workflow_call:
+ inputs:
+ info:
+ description: "The release metadata JSON"
+ required: true
+ type: string
+ CARGO_PROFILE_RELEASE_LTO:
+ description: "Used to speed up CI"
+ required: false
+ type: string
+ CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
+ description: "Used to speed up CI"
+ required: false
+ type: string
+
+jobs:
+ tag:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - if: fromJSON(inputs.info).is-release == 'true'
+ name: Push cli release tag
+ uses: mathieudutour/github-tag-action@v6.1
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ custom_tag: ${{ fromJSON(inputs.info).version }}
+ tag_prefix: v
+
+ keygen:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: cargo-bins/cargo-binstall@main
+ - name: Create ephemeral keypair
+ id: keypair
+ env:
+ AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
+ run: .github/scripts/ephemeral-gen.sh
+ - uses: actions/upload-artifact@v3
+ with:
+ name: minisign.pub
+ path: minisign.pub
+ - uses: actions/upload-artifact@v3
+ with:
+ name: minisign.key.age
+ path: minisign.key.age
+ retention-days: 1
+ - name: Check that key can be decrypted
+ env:
+ AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
+ shell: bash
+ run: .github/scripts/ephemeral-sign.sh minisign.pub
+
+ package:
+ needs:
+ - tag
+ - keygen
+ uses: ./.github/workflows/release-packages.yml
+ secrets: inherit
+ with:
+ publish: ${{ inputs.info }}
+ CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
+ CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}
+
+ publish:
+ needs: package
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/download-artifact@v3
+ with:
+ name: minisign.pub
+ - run: .github/scripts/ephemeral-crate.sh
+
+ - if: fromJSON(inputs.info).is-release != 'true'
+ name: DRY-RUN Publish to crates.io
+ env:
+ crate: ${{ fromJSON(inputs.info).crate }}
+ CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+ run: cargo publish -p "$crate" --allow-dirty --dry-run
+
+ - if: fromJSON(inputs.info).is-release == 'true'
+ name: Publish to crates.io
+ env:
+ crate: ${{ fromJSON(inputs.info).crate }}
+ CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+ run: cargo publish -p "$crate" --allow-dirty
+
+ - if: fromJSON(inputs.info).is-release == 'true'
+ name: Make release latest
+ uses: svenstaro/upload-release-action@v2
+ with:
+ repo_token: ${{ secrets.GITHUB_TOKEN }}
+ release_name: v${{ fromJSON(inputs.info).version }}
+ tag: v${{ fromJSON(inputs.info).version }}
+ body: ${{ fromJSON(inputs.info).notes }}
+ promote: true
+ file: minisign.pub
+
+ - if: fromJSON(inputs.info).is-release == 'true'
+ name: Delete signing key artifact
+ uses: geekyeggo/delete-artifact@v2
+ with:
+ name: minisign.key.age
+ failOnError: false
+
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-packages.yml
similarity index 76%
rename from .github/workflows/release-build.yml
rename to .github/workflows/release-packages.yml
index ae7f5f4d..ab6839c6 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-packages.yml
@@ -1,29 +1,20 @@
-name: Build for release
+name: Build packages for release
on:
- workflow_dispatch: # can't publish from dispatch
workflow_call:
inputs:
publish:
- description: "Set to the release metadata JSON to publish the release"
- required: false
- type: string
- publickey:
- description: "Minisign public key. Required when publishing"
- required: false
+ description: "The release metadata JSON"
+ required: true
type: string
CARGO_PROFILE_RELEASE_LTO:
- description: "Set to override default release profile lto settings"
+ description: "Used to speed up CI"
required: false
type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
- description: "Set to override default release profile codegen-units settings"
+ description: "Used to speed up CI"
required: false
type: string
- secrets:
- signingkey:
- description: "Minisign private key. Required when publishing"
- required: false
env:
CARGO_TERM_COLOR: always
@@ -69,15 +60,7 @@ jobs:
if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS
run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV"
- - name: Include public key in package
- if: inputs.publickey
- env:
- PUBLIC_KEY: ${{ inputs.publickey }}
- shell: bash
- run: |
- echo "untrusted comment: minisign public key" > minisign.pub
- cat >> minisign.pub <<< "$PUBLIC_KEY"
-
+ - uses: cargo-bins/cargo-binstall@main
- uses: ./.github/actions/just-setup
with:
tools: cargo-auditable
@@ -89,6 +72,9 @@ jobs:
- run: just toolchain rust-src
- run: just ci-install-deps
+ - uses: actions/download-artifact@v3
+ with:
+ name: minisign.pub
- run: just package
- if: runner.os == 'Windows'
run: Get-ChildItem packages/
@@ -101,16 +87,16 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - if: inputs.publish
- uses: cargo-bins/cargo-binstall@main
-
- - if: inputs.publish
+ - uses: actions/download-artifact@v3
+ with:
+ name: minisign.key.age
+ - name: Sign package
env:
- SIGNING_KEY: ${{ secrets.signingkey }}
+ AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
- - if: inputs.publish
+ - if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release
uses: svenstaro/upload-release-action@v2
with:
@@ -120,7 +106,8 @@ jobs:
body: ${{ fromJSON(inputs.publish).notes }}
file: packages/cargo-binstall-*
file_glob: true
- - if: "! inputs.publish || runner.os == 'macOS'"
+ prerelease: true
+ - if: "fromJSON(inputs.publish).is-release != 'true' || runner.os == 'macOS'"
name: Upload artifact
uses: actions/upload-artifact@v3
with:
@@ -144,16 +131,7 @@ jobs:
steps:
- uses: actions/checkout@v4
-
- - name: Include public key in package
- if: inputs.publickey
- env:
- PUBLIC_KEY: ${{ inputs.publickey }}
- shell: bash
- run: |
- echo "untrusted comment: minisign public key" > minisign.pub
- cat >> minisign.pub <<< "$PUBLIC_KEY"
-
+ - uses: cargo-bins/cargo-binstall@main
- uses: taiki-e/install-action@v2
with:
tool: just
@@ -171,19 +149,22 @@ jobs:
name: aarch64-apple-darwin
path: packages/
+ - uses: actions/download-artifact@v3
+ with:
+ name: minisign.pub
- run: ls -shalr packages/
- run: just repackage-lipo
- run: ls -shal packages/
- - if: inputs.publish
- uses: cargo-bins/cargo-binstall@main
-
- - if: inputs.publish
- env:
- SIGNING_KEY: ${{ secrets.signingkey }}
+ - uses: actions/download-artifact@v3
+ with:
+ name: minisign.key.age
+ - env:
+ AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
+ shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*
- - if: inputs.publish
+ - if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release
uses: svenstaro/upload-release-action@v2
with:
@@ -194,7 +175,8 @@ jobs:
file: packages/cargo-binstall-universal-*
file_glob: true
overwrite: true
- - if: "! inputs.publish"
+ prerelease: true
+ - if: fromJSON(inputs.publish).is-release != 'true'
name: Upload artifact
uses: actions/upload-artifact@v3
with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7b189b2d..88f6d0a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,7 +22,7 @@ jobs:
event-data: ${{ toJSON(github.event) }}
extract-notes-under: '### Release notes'
- libtag:
+ release-lib:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate != 'cargo-binstall'
needs: info
runs-on: ubuntu-latest
@@ -41,47 +41,11 @@ jobs:
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
- clitag:
- if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
+ release-cli:
+ if: needs.info.outputs.crate == 'cargo-binstall'
needs: info
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - name: Push cli release tag
- uses: mathieudutour/github-tag-action@v6.1
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- custom_tag: ${{ needs.info.outputs.version }}
- tag_prefix: v
- - uses: cargo-bins/cargo-binstall@main
- - name: Create ephemeral keypair
- id: keypair
- run: .github/scripts/ephemeral-gen.sh
- - name: Publish to crates.io
- env:
- crate: ${{ needs.info.outputs.crate }}
- CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
- run: cargo publish -p "$crate" --allow-dirty
- - name: Upload public key to release
- uses: svenstaro/upload-release-action@v2
- with:
- repo_token: ${{ secrets.GITHUB_TOKEN }}
- release_name: v${{ needs.info.outputs.version }}
- tag: v${{ needs.info.outputs.version }}
- body: ${{ needs.info.outputs.notes }}
- file: minisign.pub
- outputs:
- publickey: ${{ steps.keypair.outputs.public }}
- signingkey: ${{ steps.keypair.outputs.private }}
-
- package:
- if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
- needs:
- - info
- - clitag
- uses: ./.github/workflows/release-build.yml
+ uses: ./.github/workflows/release-cli.yml
+ secrets: inherit
with:
- publish: ${{ toJSON(needs.info.outputs) }}
- publickey: ${{ needs.clitag.publickey }}
- secrets:
- signingkey: ${{ needs.clitag.signingkey }}
+ info: ${{ toJSON(needs.info.outputs) }}
+
diff --git a/SIGNING.md b/SIGNING.md
index e8cc2871..29803ce4 100644
--- a/SIGNING.md
+++ b/SIGNING.md
@@ -10,10 +10,10 @@ This feature requires adding to the Cargo.toml metadata: no autodiscovery here!
Generate a [minisign](https://jedisct1.github.io/minisign/) keypair:
```console
-minisign -G -p signing.pub -s signing.key
+minisign -G -W -p signing.pub -s signing.key
# or with rsign2:
-rsign generate -p signing.pub -s signing.key
+rsign generate -W -p signing.pub -s signing.key
```
In your Cargo.toml, put:
@@ -31,10 +31,10 @@ Save the `signing.key` as a secret in your CI, then use it when building package
```console
tar cvf package-name.tar.zst your-files # or however
-minisign -S -s signing.key -x package-name.tar.zst.sig -m package-name.tar.zst
+minisign -S -W -s signing.key -x package-name.tar.zst.sig -m package-name.tar.zst
# or with rsign2:
-rsign sign -s signing.key -x package-name.tar.zst.sig package-name.tar.zst
+rsign sign -W -s signing.key -x package-name.tar.zst.sig package-name.tar.zst
```
Upload both your package and the matching `.sig`.
@@ -42,34 +42,16 @@ Upload both your package and the matching `.sig`.
Now when binstall downloads your packages, it will also download the `.sig` file and use the `pubkey` in the Cargo.toml to verify the signature.
If the signature has a trusted comment, it will print it at install time.
-`minisign` and `rsign2` by default prompt for a password when generating a keypair and signing, which can hinder automation.
+By default, `minisign` and `rsign2` prompt for a password; above we disable this with `-W`.
+While you _can_ set a password, we recommend instead using [age](https://github.com/FiloSottile/age) (or the Rust version [rage](https://github.com/str4d/rage)) to separately encrypt the key, which we find is much better for automation.
-You can:
- - Pass `-W` to `minisign` or `rsign2` to generate a password-less private key.
- NOTE that you also need to pass this when signing.
- - When signing using `minisign`, it reads from stdin for password so you could use
- shell redirect to pass the password.
- - Use [`expect`] to pass password to `rsign2` (since it reads `/dev/tty` for password):
- For generating private key:
- ```bash
- expect <<EXP
- spawn rsign generate -f -p minisign.pub -s minisign.key
- expect "Password:"
- send -- "$SIGNING_KEY_SECRET\r"
- expect "Password (one more time):"
- send -- "$SIGNING_KEY_SECRET\r"
- expect eof
- EXP
- ```
- For signing:
- ```bash
- expect <<EXP
- spawn rsign sign -s minisign.key -x "$file.sig" -t "$comment" "$file"
- expect "Password:"
- send -- "$SIGNING_KEY_SECRET\r"
- expect eof
- EXP
- ```
+```console
+rage-keygen -o age.key
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+rage -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p -o signing.key.age signing.key
+rage -d -i age.key -o signing.key signing.key.age
+```
For just-in-time or "keyless" schemes, securely generating and passing the ephemeral key to other jobs or workflows presents subtle issues.
`cargo-binstall` has an implementation in [its own release process][`release.yml`] that you can use as example.