build-git-installers: publish gpg public key

Update build-git-installers workflow to publish `microsoft/git`'s GPG public
key as part of each release. Add explanation for how to use this key to verify
the Debian package's signature to the README.

Author: ldennington

.github/workflows/build-git-installers.yml

@@ -630,6 +630,10 @@ jobs:
   create-github-release:
     runs-on: ubuntu-latest
     needs: [validate-installers]
+    env:
+      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
+    environment: release
     if: |
       success() ||
         (needs.create-linux-artifacts.result == 'skipped' &&
@@ -641,21 +645,37 @@ jobs:
         with:
           name: win-portable-x86_64
           path: win-portable-x86_64
+
       - name: Download Windows x86_64 installer
         uses: actions/download-artifact@v3
         with:
           name: win-installer-x86_64
           path: win-installer-x86_64
+
       - name: Download macOS artifacts
         uses: actions/download-artifact@v3
         with:
           name: macos-artifacts
           path: macos-artifacts
+
       - name: Download Debian package
         uses: actions/download-artifact@v3
         with:
           name: linux-artifacts
           path: deb-package
+
+      - name: Log into Azure
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Download GPG public key signature file
+        run: |
+          az keyvault secret show --name "$GPG_PUBLIC_KEY_SECRET_NAME" \
+            --vault-name "$AZURE_VAULT" --query "value" \
+            | sed -e 's/^"//' -e 's/"$//' | base64 -d >msft-git-public.asc
+          mv msft-git-public.asc deb-package
+
       - uses: actions/github-script@v6
         with:
           script: |

README.md

@@ -114,12 +114,59 @@ Or you can run the `git update-microsoft-git` command, which will run those brew
 ## Linux
 ### Ubuntu/Debian distributions
 
-On newer distributions*, you can download the most recent Debian package from
-the [releases page](https://github.com/microsoft/git/releases/latest) (or
-using a tool such as `wget`) then run:
+On newer distributions*, you can install using the most recent Debian package.
+To download and validate the signature of this package, run the following:
 
 ```shell
-sudo dpkg -i <path to package>
+# Install needed packages
+apt-get install -y curl debsig-verify
+
+# Download public key signature file
+curl -s https://api.github.com/repos/microsoft/git/releases/latest \
+| grep -E 'browser_download_url.*msft-git-public.asc' \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -L -o msft-git-public.asc 'url'
+
+# De-armor public key signature file
+gpg --output msft-git-public.gpg --dearmor msft-git-public.asc
+
+# Note that the fingerprint of this key is "B8F12E25441124E1", which you can
+# determine by running:
+gpg --show-keys msft-git-public.asc | head -n 2 | tail -n 1 | tail -c 17
+
+# Copy de-armored public key to debsig keyring folder
+mkdir /usr/share/debsig/keyrings/B8F12E25441124E1
+mv msft-git-public.gpg /usr/share/debsig/keyrings/B8F12E25441124E1/
+
+# Create an appropriate policy file
+mkdir /etc/debsig/policies/B8F12E25441124E1
+cat > /etc/debsig/policies/B8F12E25441124E1/generic.pol << EOL
+<?xml version="1.0"?>
+<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
+<Policy xmlns="https://www.debian.org/debsig/1.0/">
+  <Origin Name="Microsoft Git" id="B8F12E25441124E1" Description="Microsoft Git public key"/>
+  <Selection>
+    <Required Type="origin" File="msft-git-public.gpg" id="B8F12E25441124E1"/>
+  </Selection>
+  <Verification MinOptional="0">
+    <Required Type="origin" File="msft-git-public.gpg" id="B8F12E25441124E1"/>
+  </Verification>
+</Policy>
+EOL
+
+# Download Debian package
+curl -s https://api.github.com/repos/microsoft/git/releases/latest \
+| grep "browser_download_url.*deb" \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -L -o msft-git.deb 'url'
+
+# Verify
+debsig-verify msft-git.deb
+
+# Install
+sudo dpkg -i msft-git.deb
 ```
 
 Double-check that you have the right version by running these commands,