diff --git a/.github/actions/release-artifact/action.yml b/.github/actions/release-artifact/action.yml index 6ee1c0d44..96802bc01 100644 --- a/.github/actions/release-artifact/action.yml +++ b/.github/actions/release-artifact/action.yml @@ -24,8 +24,10 @@ runs: - name: Sign artifacts shell: bash run: | - echo "$MINISIGN_PRIVATE_KEY" > private.key + echo "$MINISIGN_PRIVATE_KEY" | base64 --decode > private.key + chmod 400 private.key for i in dist/*; do + echo "Signing $i" minisign -S -s private.key -t "$GITHUB_WORKFLOW_REF $GITHUB_RUN_ID $GITHUB_RUN_ATTEMPT" -m "$i" done rm -v private.key diff --git a/dev/Documentation/Signatures.md b/dev/Documentation/Signatures.md index f2fe5e487..4793b9a11 100644 --- a/dev/Documentation/Signatures.md +++ b/dev/Documentation/Signatures.md @@ -15,12 +15,11 @@ to verify the downloaded binaries before publishing. 1. Remove the old key: - `rm ./keys/github-actions.pub` 1. Create the new key: - - `minisign -G -s ./XXX_NEW_PRIVATE_KEY -p ./keys/github-actions.pub` - - Leave the password blank + - `minisign -G -W -s ./XXX_NEW_PRIVATE_KEY -p ./keys/github-actions.pub` 1. Get the private key: - - `cat ./XXX_NEW_PRIVATE_KEY` + - `cat ./XXX_NEW_PRIVATE_KEY | base64` - Copy the result as the value of `MINISIGN_PRIVATE_KEY` at 1. Securely delete the private key: - - `shred -vz XXX_NEW_PRIVATE_KEY` + - `shred -uvz XXX_NEW_PRIVATE_KEY` 1. Check in the changes to `./keys/github-actions.pub` 1. Push to a branch whose name starts with "release/" to trigger the Build Release workflows, and make sure they succeed. diff --git a/keys/github-actions.pub b/keys/github-actions.pub index 3d0ab2f8e..d317b57fe 100644 --- a/keys/github-actions.pub +++ b/keys/github-actions.pub @@ -1,2 +1,2 @@ -untrusted comment: minisign public key 193A5479E5DAC8ED -RWTtyNrleVQ6GQ8+wXDd8nr5i37IiU1dozzDpR0F+CYqkZDwh/BxXu9u +untrusted comment: minisign public key AD7B120324D7931C +RWQck9ckAxJ7rR33f9wfM1h4lDzf9etWvDW7jBZUNUhIJ/PPoSN2K1Q9