From c9dea592323c2a7ca4640cf49f355d147dc4c6f7 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Sat, 25 Jul 2020 09:05:19 -0400 Subject: [PATCH] verify signing fingerprint --- .github/scripts/verify-signature.sh | 14 ++++++++++++++ .github/workflows/acceptance-test.yaml | 2 +- .github/workflows/release.yaml | 3 ++- Makefile | 5 +---- 4 files changed, 18 insertions(+), 6 deletions(-) create mode 100755 .github/scripts/verify-signature.sh diff --git a/.github/scripts/verify-signature.sh b/.github/scripts/verify-signature.sh new file mode 100755 index 000000000..c022afc5d --- /dev/null +++ b/.github/scripts/verify-signature.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -ue + +DISTDIR=$1 + +export FINGERPRINT=$(gpg --verify ${DISTDIR}/*checksums.txt.sig ${DISTDIR}/*checksums.txt 2>&1 | grep 'using RSA key' | awk '{ print $NF }') + +if [[ "${FINGERPRINT}" == "${SIGNING_FINGERPRINT}" ]]; then + echo 'verified signature' +else + echo "signed with unknown fingerprint: ${FINGERPRINT}" + echo " expected fingerprint: ${SIGNING_FINGERPRINT}" + exit 1 +fi diff --git a/.github/workflows/acceptance-test.yaml b/.github/workflows/acceptance-test.yaml index d06a6f78d..03643b396 100644 --- a/.github/workflows/acceptance-test.yaml +++ b/.github/workflows/acceptance-test.yaml @@ -65,7 +65,7 @@ jobs: - uses: actions/upload-artifact@v2 with: name: artifacts - path: snapshot + path: snapshot/**/* # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline Acceptance-Linux: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c86e3bab2..5b2f42a0f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,8 +111,9 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} + SIGNING_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - uses: actions/upload-artifact@v2 with: name: artifacts - path: dist \ No newline at end of file + path: dist/**/* \ No newline at end of file diff --git a/Makefile b/Makefile index 00fa85ae4..f9bfcecbd 100644 --- a/Makefile +++ b/Makefile @@ -159,9 +159,6 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages BUILD_GIT_TREE_STATE=$(GITTREESTATE) \ $(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml - # verify checksum signatures - gpg --verify $(SNAPSHOTDIR)/*checksums.txt.sig $(SNAPSHOTDIR)/*checksums.txt - .PHONY: acceptance-mac acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac) $(call title,Running acceptance test: Run on Mac) @@ -205,7 +202,7 @@ release: clean-dist ## Build and publish final binaries and packages $(TEMPDIR)/goreleaser --rm-dist --config $(TEMPDIR)/goreleaser.yaml # verify checksum signatures - gpg --verify $(DISTDIR)/*checksums.txt.sig $(DISTDIR)/*checksums.txt + .github/scripts/verify-signature.sh "$(DISTDIR)" # create a version file for version-update checks echo "$(VERSION)" > $(DISTDIR)/VERSION