From 3ddb375a9032fc62f4c1aec39b8d7773997e862a Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Wed, 1 May 2024 13:32:47 -0400
Subject: Add Debian package and dsc signing with repo key

Allows for the verification of the integrity and ownership of the
resulting .deb, .dsc, .changes, and .buildinfo files for both Debian and
Ubuntu using `debsig-verify` and the standard Apt toolkits.

Closes #14
---
 .github/workflows/release-build.yaml | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

(limited to '.github')

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
index a3c82b0..9905137 100644
--- a/.github/workflows/release-build.yaml
+++ b/.github/workflows/release-build.yaml
@@ -78,7 +78,7 @@ jobs:
 
       - name: "Install dependencies"
         run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts
 
       - name: "Checkout repository"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -90,6 +90,22 @@ jobs:
       - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
         run: |-
           sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} debian ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/debian
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Debian package and source files"
+        run: |
+          for file in out/debian/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/debian/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}
 
       - name: "Upload artifacts to repository server"
         uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
@@ -172,7 +188,7 @@ jobs:
 
       - name: "Install dependencies"
         run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts
 
       - name: "Checkout repository"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -184,6 +200,22 @@ jobs:
       - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
         run: |-
           sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} ubuntu ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/ubuntu
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Ubuntu package and source files"
+        run: |
+          for file in out/ubuntu/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/ubuntu/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}
 
       - name: "Upload artifacts to repository server"
         uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
-- 
cgit