From 3ddb375a9032fc62f4c1aec39b8d7773997e862a Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Wed, 1 May 2024 13:32:47 -0400
Subject: Add Debian package and dsc signing with repo key

Allows for the verification of the integrity and ownership of the
resulting .deb, .dsc, .changes, and .buildinfo files for both Debian and
Ubuntu using `debsig-verify` and the standard Apt toolkits.

Closes #14
---
 .github/workflows/release-build.yaml | 36 ++++++++++++++++++++++++++++++++++--
 README.md                            |  4 ++++
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml
index a3c82b0..9905137 100644
--- a/.github/workflows/release-build.yaml
+++ b/.github/workflows/release-build.yaml
@@ -78,7 +78,7 @@ jobs:
 
       - name: "Install dependencies"
         run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts
 
       - name: "Checkout repository"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -90,6 +90,22 @@ jobs:
       - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
         run: |-
           sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} debian ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/debian
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Debian package and source files"
+        run: |
+          for file in out/debian/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/debian/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}
 
       - name: "Upload artifacts to repository server"
         uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
@@ -172,7 +188,7 @@ jobs:
 
       - name: "Install dependencies"
         run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts
 
       - name: "Checkout repository"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -184,6 +200,22 @@ jobs:
       - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
         run: |-
           sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} ubuntu ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/ubuntu
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Ubuntu package and source files"
+        run: |
+          for file in out/ubuntu/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/ubuntu/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}
 
       - name: "Upload artifacts to repository server"
         uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
diff --git a/README.md b/README.md
index d09dcb5..adfdcf5 100644
--- a/README.md
+++ b/README.md
@@ -188,6 +188,10 @@ Inside this repository are 7 major components:
 
    This simplifies our builds as we do not need to then track many 9-month-only releases of Ubuntu, and also reduces the build burden. Users of non-LTS Ubuntu releases can use either the closest Ubuntu LTS version or use Docker containers instead.
 
+* Signing of Debian packages with `debsigs`.
+
+   This was suggested in https://github.com/jellyfin/jellyfin-packaging/issues/14 and was not something we had ever done, but has become trivial with this CI. This alows for the end-user verification of the ownership and integrity of the binary `.deb` files obtained from the repository with the `debsigs-verify` command and the policy detailed in that issue. We can also integrate this automatically into our installer script and documented process.
+
 ### Docker
 
 * Single unified Docker build: the entirety of our Docker images are built as one container from one Dockerfile.
-- 
cgit