1+ #! /usr/bin/env sh
2+ set -e
3+ #
4+ #
5+ #
6+ # Sign RPM's & DEB's in /packages to GH Release Assets
7+ #
8+ #
9+ #
10+
11+ # Sign RPM's
12+ echo " ===> Create .rpmmacros to sign rpm"
13+ echo " %_gpg_name ${GPG_MAIL} " >> ~ /.rpmmacros
14+ echo " %_signature gpg" >> ~ /.rpmmacros
15+ echo " %_gpg_path /home/runner/.gnupg" >> ~ /.rpmmacros
16+ echo " %_gpgbin /usr/bin/gpg" >> ~ /.rpmmacros
17+ echo " %__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u " " -sbo %{__signature_filename} %{__plaintext_filename}" >> ~ /.rpmmacros
18+
19+ echo " ===> Importing GPG private key from GHA secrets..."
20+ printf %s ${GPG_PRIVATE_KEY_SHA256_BASE64} | base64 -d | gpg --batch --import -
21+
22+ echo " ===> Importing GPG signature, needed to verify signature"
23+ gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL}
24+ rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}
25+
26+ cd packages
27+
28+ for rpm_file in $( find -regex " .*\.\(rpm\)" ) ; do
29+ echo " ===> Signing $rpm_file "
30+ rpm --addsign $rpm_file
31+ echo " ===> Sign verification $rpm_file "
32+ rpm -v --checksig $rpm_file
33+ done
34+
35+ # Sign DEB's
36+ GNUPGHOME=" /home/runner/.gnupg"
37+ echo " ${GPG_PASSPHRASE} " > " ${GNUPGHOME} /gpg-passphrase"
38+ echo " passphrase-file ${GNUPGHOME} /gpg-passphrase" >> " $GNUPGHOME /gpg.conf"
39+ echo ' allow-loopback-pinentry' >> " ${GNUPGHOME} /gpg-agent.conf"
40+ echo ' pinentry-mode loopback' >> " ${GNUPGHOME} /gpg.conf"
41+ echo ' use-agent' >> " ${GNUPGHOME} /gpg.conf"
42+ echo RELOADAGENT | gpg-connect-agent
43+
44+ for deb_file in $( find -regex " .*\.\(deb\)" ) ; do
45+ echo " ===> Signing $deb_file "
46+ debsigs --sign=origin --verify --check -v -k ${GPG_MAIL} $deb_file
47+ done
0 commit comments