Sign our releases (#1347)

* Sign our releases * Use secrets instead of artifacts * And the universal * Apparently we can’t use secrets like that? * Minor fixes to doc * Private key requires untrusted comment * Dogfood one deeper
2025-04-24 14:28:42 +00:00 · 2023-09-23 20:07:19 +12:00 · 2023-09-23 20:07:19 +12:00 · ee7fcb3210
commit ee7fcb3210
parent 32beba507b
5 changed files with 88 additions and 14 deletions
--- a/.github/scripts/ephemeral-gen.sh
+++ b/.github/scripts/ephemeral-gen.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cargo binstall -y rsign2
+rsign generate -f -W -p minisign.pub -s minisign.key
+
+cat >> crates/bin/Cargo.toml <<EOF
+[package.metadata.binstall.signing]
+algorithm = "minisign"
+pubkey = "$(tail -n1 minisign.pub)"
+EOF
+
+set +x
+echo "::add-mask::$(tail -n1 minisign.key)"
+echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
--- a/.github/scripts/ephemeral-sign.sh
+++ b/.github/scripts/ephemeral-sign.sh
@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo "untrusted comment: rsign encrypted secret key" > minisign.key
+cat >> minisign.key <<< "$SIGNING_KEY"
+
+set -x
+
+cargo binstall -y rsign2
+
+ts=$(date --utc --iso-8601=seconds)
+git=$(git rev-parse HEAD)
+comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
+
+for file in "$@"; do
+    rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
+done
+