diff options
| -rw-r--r-- | .github/workflows/release-build.yaml | 36 | ||||
| -rw-r--r-- | README.md | 4 |
2 files changed, 38 insertions, 2 deletions
diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index a3c82b0..9905137 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -78,7 +78,7 @@ jobs: - name: "Install dependencies" run: |- - sudo apt-get install --yes python3-git python3-yaml + sudo apt-get install --yes python3-git python3-yaml debsigs devscripts - name: "Checkout repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -90,6 +90,22 @@ jobs: - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}" run: |- sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} debian ${{ matrix.arch }} ${{ matrix.release }} + sudo chown --recursive $USER out/debian + + - name: "Import repository signing GPG key" + run: | + echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import + + - name: "Sign Debian package and source files" + run: | + for file in out/debian/*.deb; do + debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file} + done + debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/debian/*.changes + + - name: "Remove repository signing GPG key" + run: | + gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }} - name: "Upload artifacts to repository server" uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 @@ -172,7 +188,7 @@ jobs: - name: "Install dependencies" run: |- - sudo apt-get install --yes python3-git python3-yaml + sudo apt-get install --yes python3-git python3-yaml debsigs devscripts - name: "Checkout repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -184,6 +200,22 @@ jobs: - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}" run: |- sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} ubuntu ${{ matrix.arch }} ${{ matrix.release }} + sudo chown --recursive $USER out/ubuntu + + - name: "Import repository signing GPG key" + run: | + echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import + + - name: "Sign Ubuntu package and source files" + run: | + for file in out/ubuntu/*.deb; do + debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file} + done + debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/ubuntu/*.changes + + - name: "Remove repository signing GPG key" + run: | + gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }} - name: "Upload artifacts to repository server" uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7 @@ -188,6 +188,10 @@ Inside this repository are 7 major components: This simplifies our builds as we do not need to then track many 9-month-only releases of Ubuntu, and also reduces the build burden. Users of non-LTS Ubuntu releases can use either the closest Ubuntu LTS version or use Docker containers instead. +* Signing of Debian packages with `debsigs`. + + This was suggested in https://github.com/jellyfin/jellyfin-packaging/issues/14 and was not something we had ever done, but has become trivial with this CI. This alows for the end-user verification of the ownership and integrity of the binary `.deb` files obtained from the repository with the `debsigs-verify` command and the policy detailed in that issue. We can also integrate this automatically into our installer script and documented process. + ### Docker * Single unified Docker build: the entirety of our Docker images are built as one container from one Dockerfile. |