Use minisign instead of gpg for signing CI artifacts (attempt 2)

.github/actions/release-artifact/action.yml

@@ -24,8 +24,10 @@ runs:
     - name: Sign artifacts
       shell: bash
       run: |
-        echo "$MINISIGN_PRIVATE_KEY" > private.key
+        echo "$MINISIGN_PRIVATE_KEY" | base64 --decode > private.key
+        chmod 400 private.key
         for i in dist/*; do
+          echo "Signing $i"
           minisign -S -s private.key -t "$GITHUB_WORKFLOW_REF $GITHUB_RUN_ID $GITHUB_RUN_ATTEMPT" -m "$i"
         done
         rm -v private.key

dev/Documentation/Signatures.md

@@ -15,12 +15,11 @@ to verify the downloaded binaries before publishing.
 1. Remove the old key:
     - `rm ./keys/github-actions.pub`
 1. Create the new key:
-    - `minisign -G -s ./XXX_NEW_PRIVATE_KEY -p ./keys/github-actions.pub`
-    - Leave the password blank
+    - `minisign -G -W -s ./XXX_NEW_PRIVATE_KEY -p ./keys/github-actions.pub`
 1. Get the private key:
-    - `cat ./XXX_NEW_PRIVATE_KEY`
+    - `cat ./XXX_NEW_PRIVATE_KEY | base64`
     - Copy the result as the value of `MINISIGN_PRIVATE_KEY` at <https://github.com/avh4/elm-format/settings/secrets/actions>
 1. Securely delete the private key:
-    - `shred -vz XXX_NEW_PRIVATE_KEY`
+    - `shred -uvz XXX_NEW_PRIVATE_KEY`
 1. Check in the changes to `./keys/github-actions.pub`
 1. Push to a branch whose name starts with "release/" to trigger the Build Release workflows, and make sure they succeed.

keys/github-actions.pub

@@ -1,2 +1,2 @@
-untrusted comment: minisign public key 193A5479E5DAC8ED
-RWTtyNrleVQ6GQ8+wXDd8nr5i37IiU1dozzDpR0F+CYqkZDwh/BxXu9u
+untrusted comment: minisign public key AD7B120324D7931C
+RWQck9ckAxJ7rR33f9wfM1h4lDzf9etWvDW7jBZUNUhIJ/PPoSN2K1Q9