Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gpg code signing to nightly workflow #20

Merged
merged 2 commits into from
Jan 3, 2021
Merged

Add gpg code signing to nightly workflow #20

merged 2 commits into from
Jan 3, 2021

Conversation

lopopolo
Copy link
Member

@lopopolo lopopolo commented Jan 3, 2021
edited

Add GPG code signing to nightly workflow

Sign release tarballs and zipballs with the following GPG key:

User ID: Code signing for Artichoke Ruby <codesign@artichokeruby.org>
Signing Key ID: AF57A37CAC061452
Signing Key Fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
Public Key: https://github.com/artichoke-ci.gpg, #20

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEX/IrgxYJKwYBBAHaRw8BAQdA6rMZoRTZv6ENkud+nxfk9HfNV1FvsOCYP+VR
LWmUF1O0PENvZGUgc2lnbmluZyBmb3IgQXJ0aWNob2tlIFJ1YnkgPGNvZGVzaWdu
QGFydGljaG9rZXJ1Ynkub3JnPoiQBBMWCAA4FiEEyYOPEEAh9Z7m9ry+sZnQNH/a
FKQFAl/yK4MCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsZnQNH/aFKSg
iQEAwRFgu0fB+RqsnlSnuhq/k0wkYzqKRk/Cn2tVAp/7Ig0BAN4RpIHLIBuzYKYR
nY7MScuKvbzCnADJNxZShoUZteoPuDgEX/IrgxIKKwYBBAGXVQEFAQEHQJVJmYxU
3Sz8OzDK014vVssn+3C1dC9q7zVweb7IkcY8AwEIB4h4BBgWCAAgFiEEyYOPEEAh
9Z7m9ry+sZnQNH/aFKQFAl/yK4MCGwwACgkQsZnQNH/aFKRGZgD/Ug5tGItj3GYT
ECTlwbAsyxrhdW045Ddl2uw5epnY6GAA/0equokFotiYTI7PHPmerP1fQQIl2cHC
C3zT47MsvosBuDMEX/IsyhYJKwYBBAHaRw8BAQdA/+xQVpaZO5VJqBd8MpQDMvXU
AQJ10WqCSF9tc/uLaaKI7wQYFggAIBYhBMmDjxBAIfWe5va8vrGZ0DR/2hSkBQJf
8izKAhsCAIEJELGZ0DR/2hSkdiAEGRYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYU
UgUCX/IsygAKCRCvV6N8rAYUUlq5AQCKwtdEJboo10L8xgbBfjfXqTmXwVZEuZCn
N4wIwNATbwEA2L2Q4MjSORTIBAWb25OcP+E2sry0tbcGAXosLVRaXgqlkQD/YQXi
2DDwJ3n0a+3GpOB8m4H1dBwKE3pRADAqCT2CR3UBAKUNsnlTssA8VxSJj50xyH1Z
OA55wz5Bm3xklwDJ4mYM
=RXFA
-----END PGP PUBLIC KEY BLOCK-----

This GPG key is attached to the @artichoke-ci GitHub user. @artichoke-ci
is a member of the @artichoke organization:

https://github.com/orgs/artichoke/people

This GPG key is attached to @artichoke-ci on GitHub and can be retrieved
from:

https://github.com/artichoke-ci.gpg

@lopopolo lopopolo added A-build Area: CI build infrastructure. A-release Area: Nightly releases and version bumps. A-security Area: Security vulnerabilities and unsoundness issues. A-project Area: Infrastructure for running an open source project. labels Jan 3, 2021
@lopopolo
Add GPG code signing to nightly workflow
84e687e 
Sign release tarballs and zipballs with the following GPG key:

**User ID**: Code signing for Artichoke Ruby <codesign@artichokeruby.org>
**Signing Key ID**: AF57A37CAC061452
**Signing Key Fingerprint**: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
**Public Key**: <https://github.com/artichoke-ci.gpg>, #20

```
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEX/IrgxYJKwYBBAHaRw8BAQdA6rMZoRTZv6ENkud+nxfk9HfNV1FvsOCYP+VR
LWmUF1O0PENvZGUgc2lnbmluZyBmb3IgQXJ0aWNob2tlIFJ1YnkgPGNvZGVzaWdu
QGFydGljaG9rZXJ1Ynkub3JnPoiQBBMWCAA4FiEEyYOPEEAh9Z7m9ry+sZnQNH/a
FKQFAl/yK4MCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsZnQNH/aFKSg
iQEAwRFgu0fB+RqsnlSnuhq/k0wkYzqKRk/Cn2tVAp/7Ig0BAN4RpIHLIBuzYKYR
nY7MScuKvbzCnADJNxZShoUZteoPuDgEX/IrgxIKKwYBBAGXVQEFAQEHQJVJmYxU
3Sz8OzDK014vVssn+3C1dC9q7zVweb7IkcY8AwEIB4h4BBgWCAAgFiEEyYOPEEAh
9Z7m9ry+sZnQNH/aFKQFAl/yK4MCGwwACgkQsZnQNH/aFKRGZgD/Ug5tGItj3GYT
ECTlwbAsyxrhdW045Ddl2uw5epnY6GAA/0equokFotiYTI7PHPmerP1fQQIl2cHC
C3zT47MsvosBuDMEX/IsyhYJKwYBBAHaRw8BAQdA/+xQVpaZO5VJqBd8MpQDMvXU
AQJ10WqCSF9tc/uLaaKI7wQYFggAIBYhBMmDjxBAIfWe5va8vrGZ0DR/2hSkBQJf
8izKAhsCAIEJELGZ0DR/2hSkdiAEGRYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYU
UgUCX/IsygAKCRCvV6N8rAYUUlq5AQCKwtdEJboo10L8xgbBfjfXqTmXwVZEuZCn
N4wIwNATbwEA2L2Q4MjSORTIBAWb25OcP+E2sry0tbcGAXosLVRaXgqlkQD/YQXi
2DDwJ3n0a+3GpOB8m4H1dBwKE3pRADAqCT2CR3UBAKUNsnlTssA8VxSJj50xyH1Z
OA55wz5Bm3xklwDJ4mYM
=RXFA
-----END PGP PUBLIC KEY BLOCK-----
```

This GPG key is attached to the @artichoke-ci GitHub user. @artichoke-ci
is a member of the @artichoke organization:

https://github.com/orgs/artichoke/people

This GPG key is attached to @artichoke-ci on GitHub and can be retrieved
from:

https://github.com/artichoke-ci.gpg
@lopopolo
Add information about GPG code signing to README
55d0efd
@lopopolo lopopolo mentioned this pull request Jan 3, 2021
Closed
@lopopolo lopopolo merged commit c64f3f0 into trunk Jan 3, 2021
@lopopolo lopopolo deleted the gpg-sign branch January 3, 2021 23:54
@lopopolo
Copy link
Member Author

lopopolo commented Jan 4, 2021

nightly-2021-01-04 has completed: https://github.com/artichoke/nightly/releases/tag/nightly-2021-01-04

Uploading the artifacts it produced in this issue so they don't get purged by the keep-last-n-releases action.

The sigs verify correctly.

$ ls -1 | xargs openssl sha256
SHA256(artichoke-nightly-aarch64-apple-darwin.tar.gz)= f21f936b43ce7ba69dd4d494b3a93db22dfbe63cdd40a65ce871c97216b6c52f
SHA256(artichoke-nightly-aarch64-apple-darwin.tar.gz.asc)= 1d52e53d7c3a0dc74b190c1106f698271a3afcdbdef060c2ac8e69373697a4f7
SHA256(artichoke-nightly-x86_64-apple-darwin.tar.gz)= 341a4bcf3e27bfb60c4107209758f44f430b41162db859fb8dbf2b0c0ae42aa9
SHA256(artichoke-nightly-x86_64-apple-darwin.tar.gz.asc)= 7196bd6db543ae8a19eb60f669a43a47472381e150d673de7d21feaa08fb7dd4
SHA256(artichoke-nightly-x86_64-pc-windows-msvc.zip)= b8b08b9cb87b5537139c46ca55db7089b3405766f9857fbd321e2482ce233bd3
SHA256(artichoke-nightly-x86_64-pc-windows-msvc.zip.asc)= 2086e0528af74d0b9bf31f80911efc3f4f5aa5cf5ab0991eac9338d3664eb16f
SHA256(artichoke-nightly-x86_64-unknown-linux-gnu.tar.gz)= cfc10c31ba9d264b57584863281bbe7757e4fad92ca4f448cb402ff6f4e296f3
SHA256(artichoke-nightly-x86_64-unknown-linux-gnu.tar.gz.asc)= 7f68e038883c49a1882e7ed9c179d58b4d3590fbc50230993b4f2a4cbc0c24d3
SHA256(artichoke-nightly-x86_64-unknown-linux-musl.tar.gz)= 68fcc57479ab58903d7f268a104ac4f42df36a2f6cb5f19d8b3af574e6b5fea6
SHA256(artichoke-nightly-x86_64-unknown-linux-musl.tar.gz.asc)= 386ea937db601b44d4d7ea3f6f8da53f46230f230538bdc31b09110211f45f7a
$ (set -x; for sig in ./*.asc; do gpg --verify "$sig" "${sig%.asc}"; done)
+ for sig in ./*.asc
+ gpg --verify ./artichoke-nightly-aarch64-apple-darwin.tar.gz.asc ./artichoke-nightly-aarch64-apple-darwin.tar.gz
gpg: Signature made Sun Jan  3 16:57:00 2021 PST
gpg:                using EDDSA key 1C4A856ACF86EC1EE841180FAF57A37CAC061452
gpg: Good signature from "Code signing for Artichoke Ruby <codesign@artichokeruby.org>" [ultimate]
+ for sig in ./*.asc
+ gpg --verify ./artichoke-nightly-x86_64-apple-darwin.tar.gz.asc ./artichoke-nightly-x86_64-apple-darwin.tar.gz
gpg: Signature made Sun Jan  3 16:27:06 2021 PST
gpg:                using EDDSA key 1C4A856ACF86EC1EE841180FAF57A37CAC061452
gpg: Good signature from "Code signing for Artichoke Ruby <codesign@artichokeruby.org>" [ultimate]
+ for sig in ./*.asc
+ gpg --verify ./artichoke-nightly-x86_64-pc-windows-msvc.zip.asc ./artichoke-nightly-x86_64-pc-windows-msvc.zip
gpg: Signature made Sun Jan  3 16:27:46 2021 PST
gpg:                using EDDSA key 1C4A856ACF86EC1EE841180FAF57A37CAC061452
gpg: Good signature from "Code signing for Artichoke Ruby <codesign@artichokeruby.org>" [ultimate]
+ for sig in ./*.asc
+ gpg --verify ./artichoke-nightly-x86_64-unknown-linux-gnu.tar.gz.asc ./artichoke-nightly-x86_64-unknown-linux-gnu.tar.gz
gpg: Signature made Sun Jan  3 16:25:30 2021 PST
gpg:                using EDDSA key 1C4A856ACF86EC1EE841180FAF57A37CAC061452
gpg: Good signature from "Code signing for Artichoke Ruby <codesign@artichokeruby.org>" [ultimate]
+ for sig in ./*.asc
+ gpg --verify ./artichoke-nightly-x86_64-unknown-linux-musl.tar.gz.asc ./artichoke-nightly-x86_64-unknown-linux-musl.tar.gz
gpg: Signature made Sun Jan  3 16:25:53 2021 PST
gpg:                using EDDSA key 1C4A856ACF86EC1EE841180FAF57A37CAC061452
gpg: Good signature from "Code signing for Artichoke Ruby <codesign@artichokeruby.org>" [ultimate]

Artifacts

artichoke-nightly-aarch64-apple-darwin.tar.gz

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYUUgUCX/Jn3AAKCRCvV6N8rAYU
UsrzAQCDwod29bJ1eLltQrfXZx3L5wm7UTPRBSFJP0yk96DVowEAjb5Ny+4cMoKf
GTAjAHyFbIxYa9C7I/2UnrMboffc/Qg=
=Cy6p
-----END PGP SIGNATURE-----

artichoke-nightly-x86_64-apple-darwin.tar.gz

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYUUgUCX/Jg2gAKCRCvV6N8rAYU
Uv6lAQDKS6CebG3wkSi6ECAW3XQkMoJ/vchsikC8LykPqskOgQD/T0j1axS8vCM5
ubUccTc0HVhxrLLm6bcMiiZ9phTdcA4=
=Ds8f
-----END PGP SIGNATURE-----

artichoke-nightly-x86_64-pc-windows-msvc.zip

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYUUgUCX/JhAgAKCRCvV6N8rAYU
UvWEAQCWemje1cF5yyY/6vQU5+YlbmagQE8fA2jUKkZeNqg5uwEAyVPnxtIbUt9/
x3QO4mD3fK6FVhzWD+4LUbzpBU59UAY=
=HFXh
-----END PGP SIGNATURE-----

artichoke-nightly-x86_64-unknown-linux-gnu.tar.gz

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYUUgUCX/JgegAKCRCvV6N8rAYU
Uh4jAQDV6V5Eh18llT2Wa1pX1IKf6jjtFNgAbwy4HyfAedJhgwEAuttzroobwjZJ
qpyJNqfvenPo6U3dXZXqbiSAJFcCwwQ=
=QyeG
-----END PGP SIGNATURE-----

artichoke-nightly-x86_64-unknown-linux-musl.tar.gz

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQcSoVqz4bsHuhBGA+vV6N8rAYUUgUCX/JgkQAKCRCvV6N8rAYU
UnhHAQChoDbzqNL3SmVZJdpd5xmL8Kw33s0Gfj5xS1S8gtPoagEA8lHPXXahGx0A
mpbfjtq04klJ8mdYibWbwUSfun3S2wM=
=wsje
-----END PGP SIGNATURE-----

@lopopolo lopopolo mentioned this pull request Jan 4, 2021
Merged
@lopopolo
Copy link
Member Author

lopopolo commented Jan 4, 2021

this message was tweeted from @artichokeruby:

https://twitter.com/artichokeruby/status/1345911198340923393
https://twitter.com/artichokeruby/status/1345911819253104641

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Artichoke Ruby nightlies are signed with:

GPG key ID: AF57A37CAC061452
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452

See artichoke/nightly@84e687e866edb52a43a4f462accf3020fe8797f1.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtUt7P6UGaZlFry5uRgR9c5tq4LEFAl/ydF4ACgkQRgR9c5tq
4LGFIRAAlr40/3fOY8jOxTxWeS151oAh1EksYkCT6Cuptgy6OTgyqbJvMPLluuPY
oijFDGeh9B5K7ZPKoyk4XZBgWstR0JqXtYffSQC3dte78qpADShxKK0I9J6xjItI
n4ey1fwzbjTdu2e18ADC4S2ynGzHXp6pmlQsYeXSh1mozr8pBPZhXrOf716Slsm3
A59x/PMxZ+3xFtc/lT6AfNDDJ8VSg3mxtVuLC2KZi10RJFJy9IfzXRohqOC5YJYC
7h3JyH4aLB1eRxOud1PaPWSRGW73RADOX9Z7IXM7L6g/u2kSNAjA93n/OVyaqYc5
Td+rtZnTWav5UQDXBmMlMYAJreYHBltT6fS1T6qUDeVfQn7smIbumvaQVt6kZ5c6
W/gzMKCOlpCoJAgQdEFRHEi1fu1ZIBQT0z5m7z6bXh10bILRMMMslddq4U4STYel
ZEf2H7wE95sIcnBvVfxqJ76oM/eworokYH+KGyIN7FZ91gwmvglGF/sCQ1BGkq0o
4BMbPlStXyIv+NigzZBsMznkuEswXZffdnQGREy0SMNzklpkHfsKhSzHAIrxxa6N
YuQ9Te1dJuRgcTyt5Y2L7ZaUdI4hRCEVe1uiQiePUwrvR66SEAGDPEs1WR3wxCjG
26WabQzhWTWtIqrbanAAxhQuyGWI98t7WFWTxesfLvLnyTer53c=
=avZK
-----END PGP SIGNATURE-----

@lopopolo lopopolo added the A-codesigning Area: Code signing, GPG signatures. label Jul 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
A-build Area: CI build infrastructure. A-codesigning Area: Code signing, GPG signatures. A-project Area: Infrastructure for running an open source project. A-release Area: Nightly releases and version bumps. A-security Area: Security vulnerabilities and unsoundness issues.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@lopopolo