verify signing fingerprint

.github/scripts/verify-signature.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -ue
+
+DISTDIR=$1
+
+export FINGERPRINT=$(gpg --verify ${DISTDIR}/*checksums.txt.sig ${DISTDIR}/*checksums.txt 2>&1 | grep 'using RSA key' | awk '{ print $NF }')
+
+if [[ "${FINGERPRINT}" == "${SIGNING_FINGERPRINT}" ]]; then
+    echo 'verified signature'
+else
+    echo "signed with unknown fingerprint: ${FINGERPRINT}"
+    echo "           expected fingerprint: ${SIGNING_FINGERPRINT}"
+    exit 1
+fi

.github/workflows/acceptance-test.yaml

@@ -65,7 +65,7 @@ jobs:
       - uses: actions/upload-artifact@v2
         with:
           name: artifacts
-          path: snapshot
+          path: snapshot/**/*
 
   # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
   Acceptance-Linux:

.github/workflows/release.yaml

@@ -111,8 +111,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
           PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
+          SIGNING_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
 
       - uses: actions/upload-artifact@v2
         with:
           name: artifacts
-          path: dist
+          path: dist/**/*

Makefile

@@ -159,9 +159,6 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages
 	BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
 	$(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml
 
-	# verify checksum signatures
-	gpg --verify $(SNAPSHOTDIR)/*checksums.txt.sig $(SNAPSHOTDIR)/*checksums.txt
-
 .PHONY: acceptance-mac
 acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac)
 	$(call title,Running acceptance test: Run on Mac)
@@ -205,7 +202,7 @@ release: clean-dist ## Build and publish final binaries and packages
 	$(TEMPDIR)/goreleaser --rm-dist --config $(TEMPDIR)/goreleaser.yaml
 
 	# verify checksum signatures
-	gpg --verify $(DISTDIR)/*checksums.txt.sig $(DISTDIR)/*checksums.txt
+	.github/scripts/verify-signature.sh "$(DISTDIR)"
 
 	# create a version file for version-update checks
 	echo "$(VERSION)" > $(DISTDIR)/VERSION