From b0abaa25719a26bf2b1de946d06c522768df8e1f Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Tue, 10 May 2022 16:13:26 +0000 Subject: [PATCH] Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP. --- .github/workflows/prod-deploy.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml index 6bfb3cc9..48db6daa 100644 --- a/.github/workflows/prod-deploy.yml +++ b/.github/workflows/prod-deploy.yml @@ -21,12 +21,15 @@ jobs: - name: Create tar.gz run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist - name: Sign tar.gz - uses: actionhippie/gpgsign@4e28208b142cae93e1582401dcda1cf79e4f72c0 - with: - private_key: ${{ secrets.GNUPG_KEY }} - passphrase: ${{ secrets.GNUPG_PASSPHRASE }} - detach_sign: true - files: cinny-${{ steps.vars.outputs.tag }}.tar.gz + run: | + echo '${{ secrets.GNUPG_KEY }}' | gpg --batch --import + # Sadly a few lines in the private key match a few lines in the public key, + # As a result just --export --armor gives us a few lines replaced with *** + # making it useless for importing the signing key. Instead, we dump it as + # non-armored and hex-encode it so that its printable. + echo "PGP Signing key, in raw PGP format in hex. Import with cat ... | xxd -r -p - | gpg --import" + gpg --export | xxd -p + echo '${{ secrets.GNUPG_PASSPHRASE }}' | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign cinny-${{ steps.vars.outputs.tag }}.tar.gz - name: Upload tagged release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 with: