Skip to content

Commit

Permalink
CI: Always sign binary artifacts, not just for releases
Browse files Browse the repository at this point in the history
Fixes #1355.
  • Loading branch information
RyanGlScott committed May 19, 2022
1 parent bdaa8a8 commit 870d9c9
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
4 changes: 4 additions & 0 deletions .github/ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,14 @@ bundle_files() {
}

sign() {
# This is surrounded with `set +x; ...; set -x` to disable printing out
# statements that could leak GPG-related secrets.
set +x
gpg --batch --import <(echo "$SIGNING_KEY")
fingerprint="$(gpg --list-keys | grep galois -a1 | head -n1 | awk '{$1=$1};1')"
echo "$fingerprint:6" | gpg --import-ownertrust
gpg --yes --no-tty --batch --pinentry-mode loopback --default-key "$fingerprint" --detach-sign -o "$1".sig --passphrase-file <(echo "$SIGNING_PASSPHRASE") "$1"
set -x
}

zip_dist() {
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ jobs:
- if: runner.os == 'Windows'
run: .github/wix.ps1

- if: needs.config.outputs.release == 'true' && runner.os == 'Windows'
- if: runner.os == 'Windows'
shell: bash
env:
SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }}
Expand All @@ -181,8 +181,7 @@ jobs:
env:
OS_TAG: ${{ matrix.os }}

- if: needs.config.outputs.release == 'true'
shell: bash
- shell: bash
env:
SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }}
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
Expand Down

0 comments on commit 870d9c9

Please sign in to comment.