From 2618ca66e7a141922eb4cac5e54052e03554232a Mon Sep 17 00:00:00 2001 From: Sujoy Das Date: Fri, 7 Nov 2025 01:35:33 +0200 Subject: [PATCH 1/2] fix: archlinux packaging issues Fixes #56 --- .github/workflows/go-build.yml | 2 ++ .gitignore | 3 +++ nfpm.yaml | 18 ++++++++++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml index 2781356..ce8204f 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/go-build.yml @@ -169,6 +169,8 @@ jobs: mkdir -p dist nfpm pkg --packager archlinux --config nfpm.yaml --target dist/ nfpm pkg --packager deb --config nfpm.yaml --target dist/ + # sign the package for arch linux + gpg --batch --yes --detach-sign dist/*.pkg.tar.zst - name: upload build artifact uses: actions/upload-artifact@v4 diff --git a/.gitignore b/.gitignore index 3a92b43..e19a6b4 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ **/node_modules/ **/*ca_key* src/** + +# ignore test nfpm packages +dist/** diff --git a/nfpm.yaml b/nfpm.yaml index c62ba8a..3afa1af 100644 --- a/nfpm.yaml +++ b/nfpm.yaml @@ -1,11 +1,25 @@ name: ssh-keysign arch: amd64 platform: linux -version: 0.0.7 +version: 0.0.8 section: default priority: extra maintainer: Sujoy Das description: Generate short lived, oauth verified, SSH certficates on the fly +license: GPL v3.0 +homepage: https://github.com/binarycodes/ssh-key-signer + +archlinux: + packager: Sujoy Das + pkgbase: ssh-keysign + contents: - src: ./go-ssh-keysign/bin/ssh-keysign-linux-amd64 - dst: /usr/local/bin/ssh-keysign + dst: /usr/bin/ssh-keysign + file_info: + mode: 0755 + owner: root + group: root + + - src: ./LICENSE + dst: /usr/share/licenses/ssh-keysign/LICENSE From 30de6d0a1b5af35a4ef835747f9dbd84dabe174d Mon Sep 17 00:00:00 2001 From: Sujoy Das Date: Sun, 14 Dec 2025 22:21:43 +0200 Subject: [PATCH 2/2] fix gpg signing step --- .github/workflows/go-build.yml | 18 +++++++++++++++++- .github/workflows/go-ssh-keysign-workflow.yml | 3 +++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml index ce8204f..28c0aaf 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/go-build.yml @@ -2,6 +2,11 @@ name: generic-go-versionbuild on: workflow_call: + secrets: + GPG_PRIVATE_KEY: + required: true + GPG_PASSPHRASE: + required: true inputs: service: required: true @@ -165,12 +170,23 @@ jobs: merge-multiple: true - name: package with nfpm + env: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: mail@binarycodes.io run: | mkdir -p dist nfpm pkg --packager archlinux --config nfpm.yaml --target dist/ nfpm pkg --packager deb --config nfpm.yaml --target dist/ + # sign the package for arch linux - gpg --batch --yes --detach-sign dist/*.pkg.tar.zst + test -n "$GPG_PRIVATE_KEY" || { echo "GPG_PRIVATE_KEY is empty"; exit 1; } + printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import + gpg --batch --list-secret-keys --keyid-format LONG + + FPR="$(gpg --batch --list-secret-keys --with-colons | awk -F: '$1=="fpr"{print $10; exit}')" + + gpg --batch --yes --local-user "$FPR" --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --detach-sign dist/*.pkg.tar.zst - name: upload build artifact uses: actions/upload-artifact@v4 diff --git a/.github/workflows/go-ssh-keysign-workflow.yml b/.github/workflows/go-ssh-keysign-workflow.yml index 41c0b9b..3a77f65 100644 --- a/.github/workflows/go-ssh-keysign-workflow.yml +++ b/.github/workflows/go-ssh-keysign-workflow.yml @@ -24,3 +24,6 @@ jobs: with: service: go-ssh-keysign artifactVersion: ${{ needs.set-version.outputs.short_sha }} + secrets: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}