Skip to content

Commit 93a5901

Browse files
vdyeldennington
authored and
dscho
committed
release: add signing step for .deb package
- sign using Azure-stored certificates & client - sign on Windows agent via python script - job skipped if credentials for accessing certificate aren't present Co-authored-by: Lessley Dennington <[email protected]>
1 parent d682d30 commit 93a5901

File tree

1 file changed

+47
-2
lines changed

1 file changed

+47
-2
lines changed

.github/workflows/build-git-installers.yml

Lines changed: 47 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
tags:
66
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
77

8+
permissions:
9+
id-token: write # required for Azure login via OIDC
10+
811
jobs:
912
# Check prerequisites for the workflow
1013
prereqs:
@@ -475,10 +478,11 @@ jobs:
475478
git/.github/macos-installer/*.pkg
476479
# End build and sign Mac OSX installers
477480

478-
# Build unsigned Ubuntu package
481+
# Build and sign Debian package
479482
create-linux-artifacts:
480483
runs-on: ubuntu-latest
481484
needs: prereqs
485+
environment: release
482486
steps:
483487
- name: Install git dependencies
484488
run: |
@@ -547,10 +551,51 @@ jobs:
547551
# Move Debian package for later artifact upload
548552
mv "$PKGNAME.deb" "$GITHUB_WORKSPACE"
549553
554+
- name: Log into Azure
555+
uses: azure/login@v2
556+
with:
557+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
558+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
559+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
560+
561+
- name: Prepare for GPG signing
562+
env:
563+
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
564+
GPG_KEY_SECRET_NAME: ${{ secrets.GPG_KEY_SECRET_NAME }}
565+
GPG_PASSPHRASE_SECRET_NAME: ${{ secrets.GPG_PASSPHRASE_SECRET_NAME }}
566+
GPG_KEYGRIP_SECRET_NAME: ${{ secrets.GPG_KEYGRIP_SECRET_NAME }}
567+
run: |
568+
# Install debsigs
569+
sudo apt install debsigs
570+
571+
# Download GPG key, passphrase, and keygrip from Azure Key Vault
572+
key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
573+
passphrase=$(az keyvault secret show --name $GPG_PASSPHRASE_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
574+
keygrip=$(az keyvault secret show --name $GPG_KEYGRIP_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
575+
576+
# Remove quotes from downloaded values
577+
key=$(sed -e 's/^"//' -e 's/"$//' <<<"$key")
578+
passphrase=$(sed -e 's/^"//' -e 's/"$//' <<<"$passphrase")
579+
keygrip=$(sed -e 's/^"//' -e 's/"$//' <<<"$keygrip")
580+
581+
# Import GPG key
582+
echo "$key" | base64 -d | gpg --import --no-tty --batch --yes
583+
584+
# Configure GPG
585+
echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
586+
gpg-connect-agent RELOADAGENT /bye
587+
/usr/lib/gnupg2/gpg-preset-passphrase --preset "$keygrip" <<<"$passphrase"
588+
589+
- name: Sign Debian package
590+
run: |
591+
# Sign Debian package
592+
version="${{ needs.prereqs.outputs.tag_version }}"
593+
debsigs --sign=origin --verify --check microsoft-git_"$version".deb
594+
550595
- name: Upload artifacts
551596
uses: actions/upload-artifact@v4
552597
with:
553598
name: linux-artifacts
554599
path: |
555600
*.deb
556-
# End build unsigned Debian package
601+
# End build and sign Debian package

0 commit comments

Comments
 (0)