bcox/sbc7
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Sign release artifacts in CI #7

New issue
Closed
opened 2026-03-29 06:09:26 +00:00 by bcox · 0 comments
bcox commented 2026-03-29 06:09:26 +00:00
Owner
Copy link

Goal

Sign the release artifacts (RPM, deb, APK, WASM zip) produced by the CI pipeline so users can verify they came from this project.

Approach

1. Create a dedicated signing key

Generate a GPG key specifically for CI signing (not a personal key):

gpg --batch --gen-key <<KEYEOF
Key-Type: RSA
Key-Length: 4096
Name-Real: SBC7 Release Signing
Name-Email: sbc7@djehuti.com
Expire-Date: 0
%no-protection
KEYEOF

Export the private key and store it as a Forgejo repository secret (Settings → Secrets → Actions), e.g. GPG_SIGNING_KEY.

Publish the public key in the repo (e.g. pkg/signing-key.asc) so users can import it.

2. Add signing steps to the release workflow

In each build job or in the final release job, import the key and sign:

  • RPM: rpmsign --addsign *.rpm
  • Deb: dpkg-sig -k <KEY_ID> --sign builder *.deb
  • APK: already signed by Android build; could add a detached GPG signature
  • Generic files (WASM zip, brew formula, tarball): gpg --detach-sign --armor <file>

Upload .asc signature files alongside the artifacts.

3. Optional: sign git tags too

Configure git tag -s for release tags so Forgejo shows a "Verified" badge. This uses a personal key (not the CI key).

Tasks

  • Generate dedicated CI signing key
  • Store private key as Forgejo secret
  • Add public key to repo
  • Add RPM signing step
  • Add deb signing step
  • Add detached signatures for other artifacts
  • Document verification in docs/
## Goal Sign the release artifacts (RPM, deb, APK, WASM zip) produced by the CI pipeline so users can verify they came from this project. ## Approach ### 1. Create a dedicated signing key Generate a GPG key specifically for CI signing (not a personal key): ```sh gpg --batch --gen-key <<KEYEOF Key-Type: RSA Key-Length: 4096 Name-Real: SBC7 Release Signing Name-Email: sbc7@djehuti.com Expire-Date: 0 %no-protection KEYEOF ``` Export the private key and store it as a Forgejo repository secret (`Settings → Secrets → Actions`), e.g. `GPG_SIGNING_KEY`. Publish the public key in the repo (e.g. `pkg/signing-key.asc`) so users can import it. ### 2. Add signing steps to the release workflow In each build job or in the final `release` job, import the key and sign: - **RPM**: `rpmsign --addsign *.rpm` - **Deb**: `dpkg-sig -k <KEY_ID> --sign builder *.deb` - **APK**: already signed by Android build; could add a detached GPG signature - **Generic files** (WASM zip, brew formula, tarball): `gpg --detach-sign --armor <file>` Upload `.asc` signature files alongside the artifacts. ### 3. Optional: sign git tags too Configure `git tag -s` for release tags so Forgejo shows a "Verified" badge. This uses a personal key (not the CI key). ## Tasks - [ ] Generate dedicated CI signing key - [ ] Store private key as Forgejo secret - [ ] Add public key to repo - [ ] Add RPM signing step - [ ] Add deb signing step - [ ] Add detached signatures for other artifacts - [ ] Document verification in docs/
bcox referenced this issue from a commit 2026-04-05 04:54:02 +00:00
Sign release artifacts in CI
bcox closed this issue 2026-04-05 04:54:02 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
object-format
fix/lsp-macro-params
v1.3.7
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
1.3pre5
1.3pre4
1.3pre3
1.3pre2
1.3pre
v1.2.0
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.1
0.9.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bcox/sbc7#7
No description provided.