Add Debian package and dsc signing with repo key

Allows for the verification of the integrity and ownership of the resulting .deb, .dsc, .changes, and .buildinfo files for both Debian and Ubuntu using `debsig-verify` and the standard Apt toolkits. Closes #14
2024-05-01 13:32:47 -04:00
parent 759c75a107
commit 3ddb375a90
2 changed files with 38 additions and 2 deletions
--- a/.github/workflows/release-build.yaml
+++ b/.github/workflows/release-build.yaml
@@ -78,7 +78,7 @@ jobs:

      - name: "Install dependencies"
        run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts

      - name: "Checkout repository"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -90,6 +90,22 @@ jobs:
      - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
        run: |-
          sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} debian ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/debian
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Debian package and source files"
+        run: |
+          for file in out/debian/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/debian/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}

      - name: "Upload artifacts to repository server"
        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
@@ -172,7 +188,7 @@ jobs:

      - name: "Install dependencies"
        run: |-
-          sudo apt-get install --yes python3-git python3-yaml
+          sudo apt-get install --yes python3-git python3-yaml debsigs devscripts

      - name: "Checkout repository"
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -184,6 +200,22 @@ jobs:
      - name: "Run builder for ${{ matrix.version }} ${{ matrix.arch }}"
        run: |-
          sudo --preserve-env ./build.py ${{ env.JELLYFIN_VERSION }} ubuntu ${{ matrix.arch }} ${{ matrix.release }}
+          sudo chown --recursive $USER out/ubuntu
+
+      - name: "Import repository signing GPG key"
+        run: |
+          echo -n "${{ secrets.DEBIAN_SIGNING_KEY }}" | base64 --decode | gpg --batch --yes --import
+
+      - name: "Sign Ubuntu package and source files"
+        run: |
+          for file in out/ubuntu/*.deb; do
+              debsigs --sign=origin --default-key=${{ secrets.DEBIAN_SIGNING_KEY_ID }} ${file}
+          done
+          debsign -k ${{ secrets.DEBIAN_SIGNING_KEY_ID }} out/ubuntu/*.changes
+
+      - name: "Remove repository signing GPG key"
+        run: |
+          gpg --batch --yes --delete-secret-keys ${{ secrets.DEBIAN_SIGNING_KEY_ID }}

      - name: "Upload artifacts to repository server"
        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7