GPG - KeySign and runnable Linux ELF Binary

2025-08-27 21:08:04 +02:00
parent 68741badd8
commit 9145be78a3
3 changed files with 116 additions and 3 deletions
--- a/.gitea/workflows/compile.yaml
+++ b/.gitea/workflows/compile.yaml
@@ -33,7 +33,10 @@ jobs:
            build-essential \
            curl \
            pkg-config \
-            xdg-utils
+            xdg-utils \
+            rpm \
+            dpkg-sig \
+            gnupg2

      - name: Add Windows Rust target
        run: rustup target add x86_64-pc-windows-gnu
@@ -51,6 +54,47 @@ jobs:
          cd src-tauri
          cargo build --release --target x86_64-pc-windows-gnu

+      - name: Make Linux ELF executable
+        run: chmod +x src-tauri/target/release/bytechat-desktop
+
+      # 🔑 Import GPG private key (with passphrase)
+      - name: Import GPG key
+        run: |
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
+          echo "$GPG_KEY_ID:6:" | gpg --import-ownertrust
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+
+      # 🐧 Sign Linux packages
+      - name: Sign Linux .deb
+        run: |
+          for f in src-tauri/target/release/bundle/deb/*.deb; do
+            echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
+              --pinentry-mode loopback --detach-sign -a "$f"
+          done
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Sign Linux .rpm
+        run: |
+          for f in src-tauri/target/release/bundle/rpm/*.rpm; do
+            echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
+              --pinentry-mode loopback --detach-sign -a "$f"
+          done
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      # 🪟 Sign Windows exe with GPG
+      - name: Sign Windows exe
+        run: |
+          exe=src-tauri/target/x86_64-pc-windows-gnu/release/bytechat-desktop.exe
+          echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
+            --pinentry-mode loopback --detach-sign -a "$exe"
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      # 📦 Upload Linux artifacts + signatures + public key
      - name: Upload Linux packages
        uses: actions/upload-artifact@v3
        with:
@@ -58,10 +102,17 @@ jobs:
          path: |
            src-tauri/target/release/bytechat-desktop
            src-tauri/target/release/bundle/deb/*.deb
+            src-tauri/target/release/bundle/deb/*.asc
            src-tauri/target/release/bundle/rpm/*.rpm
+            src-tauri/target/release/bundle/rpm/*.asc
+            key/bytechat-public.gpg

+      # 📦 Upload Windows exe + signature
      - name: Upload Windows exe
        uses: actions/upload-artifact@v3
        with:
          name: tauri-windows-exe
-          path: src-tauri/target/x86_64-pc-windows-gnu/release/bytechat-desktop.exe
+          path: |
+            src-tauri/target/x86_64-pc-windows-gnu/release/bytechat-desktop.exe
+            src-tauri/target/x86_64-pc-windows-gnu/release/bytechat-desktop.exe.asc
+