NotificationsYou must be signed in to change notification settings
Fork947
Star10.5k

Commite80259c

committed

feat: sign coder binaries with the release key using GPG

1 parent6580971 commite80259cCopy full SHA for e80259c

File tree

5 files changed

+78

-0

lines changed

.github/workflows
- ci.yaml
- release.yaml
Makefile
scripts
- build_go.sh
- sign_with_gpg.sh

5 files changed

+78

-0

lines changed

`‎.github/workflows/ci.yaml`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1278,6 +1278,7 @@ jobs:`
`1278`	`1278`	`# do (see above).`
`1279`	`1279`	`CODER_SIGN_WINDOWS:"1"`
`1280`	`1280`	`CODER_WINDOWS_RESOURCES:"1"`
	`1281`	`+CODER_SIGN_GPG:"1"`
`1281`	`1282`	`EV_KEY:${{ secrets.EV_KEY }}`
`1282`	`1283`	`EV_KEYSTORE:${{ secrets.EV_KEYSTORE }}`
`1283`	`1284`	`EV_TSA_URL:${{ secrets.EV_TSA_URL }}`

`‎.github/workflows/release.yaml`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -323,6 +323,7 @@ jobs:`
`323`	`323`	`env:`
`324`	`324`	`CODER_SIGN_WINDOWS:"1"`
`325`	`325`	`CODER_SIGN_DARWIN:"1"`
	`326`	`+CODER_SIGN_GPG:"1"`
`326`	`327`	`CODER_WINDOWS_RESOURCES:"1"`
`327`	`328`	`AC_CERTIFICATE_FILE:/tmp/apple_cert.p12`
`328`	`329`	`AC_CERTIFICATE_PASSWORD_FILE:/tmp/apple_cert_password.txt`

`‎Makefile`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -252,6 +252,10 @@ $(CODER_ALL_BINARIES): go.mod go.sum \`
`252`	`252`	`fi`
`253`	`253`
`254`	`254`	`cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"`
	`255`	`+`
	`256`	`+if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then`
	`257`	`+cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc"`
	`258`	`+fi`
`255`	`259`	`fi`
`256`	`260`
`257`	`261`	`# This task builds Coder Desktop dylibs`

`‎scripts/build_go.sh`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ slim="${CODER_SLIM_BUILD:-0}"`
`41`	`41`	`agpl="${CODER_BUILD_AGPL:-0}"`
`42`	`42`	`sign_darwin="${CODER_SIGN_DARWIN:-0}"`
`43`	`43`	`sign_windows="${CODER_SIGN_WINDOWS:-0}"`
	`44`	`+sign_gpg="${CODER_SIGN_GPG:-0}"`
`44`	`45`	`boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}`
`45`	`46`	`dylib=0`
`46`	`47`	`windows_resources="${CODER_WINDOWS_RESOURCES:-0}"`
`@@ -85,6 +86,10 @@ while true; do`
`85`	`86`	`sign_windows=1`
`86`	`87`	`shift`
`87`	`88`	`;;`
	`89`	`+--sign-gpg)`
	`90`	`+sign_gpg=1`
	`91`	`+shift`
	`92`	`+;;`
`88`	`93`	`--boringcrypto)`
`89`	`94`	`boringcrypto=1`
`90`	`95`	`shift`
`@@ -319,4 +324,9 @@ if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then`
`319`	`324`	`execrelative ./sign_windows.sh"$output_path"1>&2`
`320`	`325`	`fi`
`321`	`326`
	`327`	`+# Platform agnostic signing`
	`328`	`+if [["$sign_gpg"== 1 ]];then`
	`329`	`+execrelative ./sign_with_gpg.sh"$output_path"1>&2`
	`330`	`+fi`
	`331`	`+`
`322`	`332`	`echo"$output_path"`

`‎scripts/sign_with_gpg.sh`

Lines changed: 62 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,62 @@`
	`1`	`+#!/usr/bin/env bash`
	`2`	`+`
	`3`	`+# This script signs a given binary using GPG.`
	`4`	`+# It expects the binary to be signed as the first argument.`
	`5`	`+#`
	`6`	`+# Usage: ./sign_with_gpg.sh path/to/binary`
	`7`	`+#`
	`8`	`+# On success, the input file will be signed using the GPG key.`
	`9`	`+#`
	`10`	`+# Depends on the GPG utility. Requires the following environment variables to be set:`
	`11`	`+# - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.`
	`12`	`+`
	`13`	`+set -euo pipefail`
	`14`	`+# shellcheck source=scripts/lib.sh`
	`15`	`+source"$(dirname"${BASH_SOURCE[0]}")/lib.sh"`
	`16`	`+`
	`17`	`+requiredenvs CODER_GPG_RELEASE_KEY_BASE64`
	`18`	`+`
	`19`	`+FILE_TO_SIGN="$1"`
	`20`	`+`
	`21`	`+if [[-z"$FILE_TO_SIGN" ]];then`
	`22`	`+echo"Usage:$0 <file_to_sign>"`
	`23`	`+exit 1`
	`24`	`+fi`
	`25`	`+`
	`26`	`+if [[!-f"$FILE_TO_SIGN" ]];then`
	`27`	`+echo"File not found:$FILE_TO_SIGN"`
	`28`	`+exit 1`
	`29`	`+fi`
	`30`	`+`
	`31`	`+# Import the GPG key.`
	`32`	`+old_gnupg_home="${GNUPGHOME:-}"`
	`33`	`+gnupg_home_temp="$(mktemp -d)"`
	`34`	`+export GNUPGHOME="$gnupg_home_temp"`
	`35`	`+`
	`36`	`+# Ensure GPG uses the temporary directory`
	`37`	`+echo"$CODER_GPG_RELEASE_KEY_BASE64"\| base64 -d\| gpg --homedir"$gnupg_home_temp" --import1>&2`
	`38`	`+`
	`39`	`+# Sign the binary. This generates a file in the same directory and`
	`40`	`+# with the same name as the binary but ending in ".asc".`
	`41`	`+#`
	`42`	+# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
	`43`	`+# ask for a passphrase). The key we import above is not password protected.`
	`44`	`+true\| gpg --homedir"$gnupg_home_temp" --detach-sign --armor"$FILE_TO_SIGN"1>&2`
	`45`	`+`
	`46`	`+# Verify the signature and capture the exit status`
	`47`	`+gpg --homedir"$gnupg_home_temp" --verify"${FILE_TO_SIGN}.asc""$FILE_TO_SIGN"1>&2`
	`48`	`+verification_result=$?`
	`49`	`+`
	`50`	`+# Clean up the temporary GPG home`
	`51`	`+rm -rf"$gnupg_home_temp"`
	`52`	`+unset GNUPGHOME`
	`53`	`+if [["$old_gnupg_home"!="" ]];then`
	`54`	`+export GNUPGHOME="$old_gnupg_home"`
	`55`	`+fi`
	`56`	`+`
	`57`	`+if [[$verification_result-eq 0 ]];then`
	`58`	`+echo"${FILE_TO_SIGN}.asc"`
	`59`	`+else`
	`60`	`+echo"Signature verification failed!">&2`
	`61`	`+exit 1`
	`62`	`+fi`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite80259c

File tree

5 files changed

5 files changed

`‎.github/workflows/ci.yaml`

`‎.github/workflows/release.yaml`

`‎Makefile`

`‎scripts/build_go.sh`

`‎scripts/sign_with_gpg.sh`

0 commit comments