Sign our releases (#1347)

* Sign our releases

* Use secrets instead of artifacts

* And the universal

* Apparently we can’t use secrets like that?

* Minor fixes to doc

* Private key requires untrusted comment

* Dogfood one deeper

.github/scripts/ephemeral-gen.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cargo binstall -y rsign2
+rsign generate -f -W -p minisign.pub -s minisign.key
+
+cat >> crates/bin/Cargo.toml <<EOF
+[package.metadata.binstall.signing]
+algorithm = "minisign"
+pubkey = "$(tail -n1 minisign.pub)"
+EOF
+
+set +x
+echo "::add-mask::$(tail -n1 minisign.key)"
+echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"

.github/scripts/ephemeral-sign.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "untrusted comment: rsign encrypted secret key" > minisign.key
+cat >> minisign.key <<< "$SIGNING_KEY"
+
+set -x
+
+cargo binstall -y rsign2
+
+ts=$(date --utc --iso-8601=seconds)
+git=$(git rev-parse HEAD)
+comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
+
+for file in "$@"; do
+    rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
+done
+

.github/workflows/release-build.yml

@@ -16,6 +16,10 @@ on:
         description: "Set to override default release profile codegen-units settings"
         required: false
         type: string
+    secrets:
+      signingkey:
+        description: "Minisign private key. Required when publishing"
+        required: false
 
 env:
   CARGO_TERM_COLOR: always
@@ -84,6 +88,14 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+    - if: inputs.publish
+      uses: cargo-bins/cargo-binstall@main
+
+    - if: inputs.publish
+      env:
+        SIGNING_KEY: ${{ secrets.signingkey }}
+      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
+
     - if: inputs.publish
       name: Upload to release
       uses: svenstaro/upload-release-action@v2
@@ -140,6 +152,14 @@ jobs:
     - run: just repackage-lipo
     - run: ls -shal packages/
 
+    - if: inputs.publish
+      uses: cargo-bins/cargo-binstall@main
+
+    - if: inputs.publish
+      env:
+        SIGNING_KEY: ${{ secrets.signingkey }}
+      run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*
+
     - if: inputs.publish
       name: Upload to release
       uses: svenstaro/upload-release-action@v2

.github/workflows/release.yml

@@ -22,8 +22,8 @@ jobs:
         event-data: ${{ toJSON(github.event) }}
         extract-notes-under: '### Release notes'
 
-  tag:
-    if: needs.info.outputs.is-release == 'true'
+  libtag:
+    if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate != 'cargo-binstall'
     needs: info
     runs-on: ubuntu-latest
     steps:
@@ -35,24 +35,43 @@ jobs:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         custom_tag: ${{ needs.info.outputs.version }}
         tag_prefix: ${{ needs.info.outputs.crate }}-v
-    - name: Push cli release tag
-      if: needs.info.outputs.crate == 'cargo-binstall'
-      uses: mathieudutour/github-tag-action@v6.1
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        custom_tag: ${{ needs.info.outputs.version }}
-        tag_prefix: v
     - name: Publish to crates.io
       run: |
         cargo publish -p '${{ needs.info.outputs.crate }}'
       env:
         CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
 
+  clitag:
+    if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
+    needs: info
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Push cli release tag
+      uses: mathieudutour/github-tag-action@v6.1
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        custom_tag: ${{ needs.info.outputs.version }}
+        tag_prefix: v
+    - uses: cargo-bins/cargo-binstall@main
+    - name: Create ephemeral keypair
+      id: keypair
+      run: .github/scripts/ephemeral-gen.sh
+    - name: Publish to crates.io
+      env:
+        crate: ${{ needs.info.outputs.crate }}
+        CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+      run: cargo publish -p "$crate"
+    outputs:
+      signingkey: ${{ steps.keypair.outputs.private }}
+
   package:
     if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
     needs:
     - info
-    - tag
+    - clitag
     uses: ./.github/workflows/release-build.yml
     with:
       publish: ${{ toJSON(needs.info.outputs) }}
+    secrets:
+      signingkey: ${{ needs.clitag.signingkey }}