Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign rpm package #255

Closed
laoshanxi opened this issue Jan 29, 2024 · 0 comments
Closed

sign rpm package #255

laoshanxi opened this issue Jan 29, 2024 · 0 comments

Comments

@laoshanxi
Copy link
Owner

To generate a GPG key in a GitHub Actions workflow and then use it to sign an RPM package, you can create a workflow with the following steps. This example workflow uses a passphrase for the GPG key, and it signs an RPM package with the generated key.

  1. Create a GPG key:

    name: Generate GPG Key and Sign RPM

on:
  workflow_run:
    workflows: ["Generate GPG Key"]
    types:
      - completed

jobs:
  sign-rpm:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up GPG key
        run: |
          echo "GPG_PASSPHRASE=$GPG_PASSPHRASE" >> $GITHUB_ENV
          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
          echo "$GPG_PASSPHRASE" | gpg --batch --passphrase-fd 0 --export-secret-key > ~/gpg.key
          gpg --batch --import ~/gpg.key

      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y rpm

      - name: Sign RPM package
        run: |
          gpg --detach-sign --armor -u "$GPG_KEY_ID" your-package.rpm

  2. Generate a GPG key in a separate workflow:

    Create another workflow file (e.g., .github/workflows/generate-gpg-key.yml) to generate the GPG key:

    name: Generate GPG Key

on:
  workflow_run:
    workflows: ["Generate GPG Key"]
    types:
      - workflow_run

jobs:
  generate-gpg-key:
    runs-on: ubuntu-latest

    steps:
      - name: Set up GPG key generation
        run: |
          gpg --batch --passphrase '' --quick-generate-key "Your Name <your.email@example.com>" rsa4096

      - name: Export GPG key
        run: |
          echo "::set-output name=GPG_PRIVATE_KEY::$(gpg --armor --export-secret-keys)"
          echo "::set-output name=GPG_KEY_ID::$(gpg --list-secret-keys --keyid-format LONG | grep -oP '^\K\S+')"

    In this example, the GPG key is generated using the gpg --quick-generate-key command. You can customize the parameters as needed.

  3. Set the GPG_PASSPHRASE and GPG_PRIVATE_KEY secrets in your GitHub repository settings.

    Go to your repository on GitHub > Settings > Secrets > New repository secret, and add GPG_PASSPHRASE and GPG_PRIVATE_KEY with their respective values.

Now, when you push changes to your repository, the "Generate GPG Key" workflow will run first to generate the GPG key. After that, the "Generate GPG Key and Sign RPM" workflow will run to sign the RPM package with the generated GPG key.

Adjust the workflow files and settings according to your specific requirements.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@laoshanxi