Sign releases with pgp

Closes: #131

.github/workflows/cd.yml

@@ -15,7 +15,6 @@ jobs:
         os:
           - macos-latest
           - ubuntu-latest
-          # - windows-latest
         rust: [stable]
         include:
           - os: macos-latest
@@ -26,10 +25,6 @@ jobs:
             artifact_prefix: linux
             target: x86_64-unknown-linux-gnu
             binary_postfix: ""
-          # - os: windows-latest
-          #   artifact_prefix: windows
-          #   target: x86_64-pc-windows-msvc
-          #   binary_postfix: ".exe"
 
     steps:
       - name: Installing Rust toolchain
@@ -54,6 +49,11 @@ jobs:
           toolchain: ${{ matrix.rust }}
           args: --locked --release --target ${{ matrix.target }}
 
+      - name: Install gpg secret key
+        run: |
+          cat <(echo -e "${{ secrets.GPG_SECRET }}") | gpg --batch --import
+          gpg --list-secret-keys --keyid-format LONG
+
       - name: Packaging final binary
         shell: bash
         run: |
@@ -62,20 +62,44 @@ jobs:
           strip $BINARY_NAME
           RELEASE_NAME=xplr-${{ matrix.artifact_prefix }}
           tar czvf $RELEASE_NAME.tar.gz $BINARY_NAME
-          if [[ ${{ runner.os }} == 'Windows' ]]; then
-            certutil -hashfile $RELEASE_NAME.tar.gz sha256 | grep -E [A-Fa-f0-9]{64} > $RELEASE_NAME.sha256
-          else
-            shasum -a 256 $RELEASE_NAME.tar.gz > $RELEASE_NAME.sha256
-          fi
+          shasum -a 256 $RELEASE_NAME.tar.gz > $RELEASE_NAME.sha256
+          cat <(echo "${{ secrets.GPG_PASS }}") | gpg --pinentry-mode loopback --passphrase-fd 0 --detach-sign --armor $RELEASE_NAME.tar.gz
+
       - name: Releasing assets
         uses: softprops/action-gh-release@v1
         with:
           files: |
             target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.tar.gz
             target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.sha256
+            target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.tar.gz.asc
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  publish-gpg-signature:
+    name: Publishing GPG signature
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Install gpg secret key
+        run: |
+          cat <(echo -e "${{ secrets.GPG_SECRET }}") | gpg --batch --import
+          gpg --list-secret-keys --keyid-format LONG
+
+      - name: Signing archive with GPG
+        run: |
+          TAG=${GITHUB_REF##*/}
+          git archive -o xplr-${TAG:?}.tar.gz --format tar.gz --prefix "xplr-${TAG:?}/" "v${TAG}"
+          cat <(echo "${{ secrets.GPG_PASS }}") | gpg --detach-sign --armor "xplr-${TAG:?}.tar.gz"
+
+      - name: Releasing GPG signature
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            xplr-${GITHUB_REF##*/}.tar.gz.asc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+
   publish-cargo:
     name: Publishing to Cargo
     runs-on: ubuntu-latest

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "xplr"
-version = "0.13.1"  # Update lua.rs
+version = "0.13.2"  # Update lua.rs
 authors = ["Arijit Basu <sayanarijit@gmail.com>"]
 edition = "2018"
 description = "A hackable, minimal, fast TUI file explorer"

src/lua.rs

@@ -133,10 +133,11 @@ mod test {
         assert!(check_version(VERSION, "foo path").is_ok());
         assert!(check_version("0.13.0", "foo path").is_ok());
         assert!(check_version("0.13.1", "foo path").is_ok());
+        assert!(check_version("0.13.2", "foo path").is_ok());
 
-        assert!(check_version("0.13.2", "foo path").is_err());
-        assert!(check_version("0.14.1", "foo path").is_err());
-        assert!(check_version("0.11.1", "foo path").is_err());
-        assert!(check_version("1.13.1", "foo path").is_err());
+        assert!(check_version("0.13.3", "foo path").is_err());
+        assert!(check_version("0.14.2", "foo path").is_err());
+        assert!(check_version("0.11.2", "foo path").is_err());
+        assert!(check_version("1.13.2", "foo path").is_err());
     }
 }