diff options
| author | Joshua M. Boniface <joshua@boniface.me> | 2024-05-01 13:32:47 -0400 |
|---|---|---|
| committer | Joshua M. Boniface <joshua@boniface.me> | 2024-05-01 15:52:28 -0400 |
| commit | 3ddb375a9032fc62f4c1aec39b8d7773997e862a (patch) | |
| tree | a40f1b0b0ba85fa11dbfafaed9d87d2eb9e75e27 /.github/workflows | |
| parent | Correct to the actual value (diff) | |
| download | jellyfin-packaging-3ddb375a9032fc62f4c1aec39b8d7773997e862a.tar.gz jellyfin-packaging-3ddb375a9032fc62f4c1aec39b8d7773997e862a.tar.bz2 jellyfin-packaging-3ddb375a9032fc62f4c1aec39b8d7773997e862a.zip | |
Add Debian package and dsc signing with repo key
Allows for the verification of the integrity and ownership of the
resulting .deb, .dsc, .changes, and .buildinfo files for both Debian and
Ubuntu using `debsig-verify` and the standard Apt toolkits.
Closes #14
Diffstat (limited to '.github/workflows')
| -rw-r--r-- | .github/workflows/release-build.yaml | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index a3c82b0..9905137 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -78,7 +78,7 @@ jobs: - name: "Install dependencies" run: |- - sudo apt-get install --yes python3-git python3-yaml + sudo apt-get install --yes python3-git python3-yaml debsigs devscripts - name: "Checkout repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -90,6 +90,22 @@ jobs: - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}" run: |- sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} debian ${{ matrix.arch }} ${{ matrix.release }} + sudo chown --recursive $USER out/debian + + - name: "Import repository signing GPG key" + run: | + echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import + + - name: "Sign Debian package and source files" + run: | + for file in out/debian/*.deb; do + debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file} + done + debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/debian/*.changes + + - name: "Remove repository signing GPG key" + run: | + gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }} - name: "Upload artifacts to repository server" uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 @@ -172,7 +188,7 @@ jobs: - name: "Install dependencies" run: |- - sudo apt-get install --yes python3-git python3-yaml + sudo apt-get install --yes python3-git python3-yaml debsigs devscripts - name: "Checkout repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -184,6 +200,22 @@ jobs: - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}" run: |- sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} ubuntu ${{ matrix.arch }} ${{ matrix.release }} + sudo chown --recursive $USER out/ubuntu + + - name: "Import repository signing GPG key" + run: | + echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import + + - name: "Sign Ubuntu package and source files" + run: | + for file in out/ubuntu/*.deb; do + debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file} + done + debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/ubuntu/*.changes + + - name: "Remove repository signing GPG key" + run: | + gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }} - name: "Upload artifacts to repository server" uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 |