build: Generate .asc files for release packages (fixes #8897)

2024-12-22 10:58:57 +00:00 · 2023-06-06 12:53:10 +02:00 · 2023-06-06 12:53:10 +02:00 · 88da67d7c3
commit 88da67d7c3
parent 1f07e05470
1 changed files with 22 additions and 1 deletions
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@ -419,7 +419,7 @@ jobs:
          path: syncthing-source-*.tar.gz

  #
-  # Sign binaries for auto upgrade
+  # Sign binaries for auto upgrade, generate ASC signature files
  #

  sign-for-upgrade:
@ -432,6 +432,7 @@ jobs:
      - package-linux
      - package-macos
      - package-cross
+      - package-source
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
@ -460,9 +461,29 @@ jobs:
          mv packages-*/* packages
          pushd packages
          "$GITHUB_WORKSPACE/tools/sign-only"
+          rm -f "$PRIVATE_KEY"
        env:
          STSIGTOOL_PRIVATE_KEY: ${{ secrets.STSIGTOOL_PRIVATE_KEY }}

+      - name: Create and sign .asc files
+        run: |
+          sudo apt update
+          sudo apt -y install gnupg
+
+          export SIGNING_KEY="$RUNNER_TEMP/gpg-secret.asc"
+          echo "$GNUPG_SIGNING_KEY_BASE64" | base64 -d > "$SIGNING_KEY"
+          gpg --import < "$SIGNING_KEY"
+
+          pushd packages
+          files=(*.tar.gz *.zip)
+          sha1sum "${files[@]}" | gpg --clearsign > sha1sum.txt.asc
+          sha256sum "${files[@]}" | gpg --clearsign > sha256sum.txt.asc
+          gpg --sign --armour --detach syncthing-source-*.tar.gz
+          popd
+          rm -f "$SIGNING_KEY" .gnupg
+        env:
+          GNUPG_SIGNING_KEY_BASE64: ${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}
+
      - name: Archive artifacts
        uses: actions/upload-artifact@v3
        with: