From 300e468b6181ce703b2f3e3f36d04583c06b0752 Mon Sep 17 00:00:00 2001 From: STAM Date: Thu, 19 Dec 2024 18:53:32 +0300 Subject: [PATCH] added full signing example of gpg signing moved away from this pr: https://github.com/rehlds/ReHLDS/actions/runs/12416117825/job/34664003176?pr=1069 --- .github/workflows/gpg-signing.yml.example | 185 ++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 .github/workflows/gpg-signing.yml.example diff --git a/.github/workflows/gpg-signing.yml.example b/.github/workflows/gpg-signing.yml.example new file mode 100644 index 0000000..a0c8207 --- /dev/null +++ b/.github/workflows/gpg-signing.yml.example @@ -0,0 +1,185 @@ +# linux: +# name: 'Linux' +# runs-on: ubuntu-24.04 +# +# steps: +# - name: Checkout +# uses: actions/checkout@v4 +# with: +# fetch-depth: 0 +# +# - name: Install dependencies +# run: | +# dpkg --add-architecture i386 +# apt-get update +# apt-get install -y \ +# gcc-multilib g++-multilib \ +# build-essential \ +# libc6-dev libc6-dev-i386 \ +# git cmake rsync \ +# g++ gcc +# +# +# - name: GPG Import +# run: | +# echo "${{ secrets.REHLDS_PUB_ASC }}" > "${{ secrets.REHLDS_PUB_ASC_FILE }}" +# echo "${{ secrets.REHLDS_KEY_ASC }}" > "${{ secrets.REHLDS_KEY_ASC_FILE }}" +# +# # Import the public key +# gpg --batch --yes --import "${{ secrets.REHLDS_PUB_ASC_FILE }}" +# if [[ $? -ne 0 ]]; then +# echo "Error: Failed to import the public key" +# exit 1 +# fi +# +# # Import the private key +# gpg --batch --yes --import "${{ secrets.REHLDS_KEY_ASC_FILE }}" +# if [[ $? -ne 0 ]]; then +# echo "Error: Failed to import the private key" +# exit 2 +# fi +# +# # Extract the fingerprint of the imported public key +# REHLDS_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10) +# +# # Check if the fingerprint was extracted +# if [[ -z "$REHLDS_LINUX_FINGERPRINT" ]]; then +# echo "Error: Failed to extract the fingerprint of the key" +# exit 3 +# fi +# +# # Set the trust level for the key +# echo "$REHLDS_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust +# if [ $? -ne 0 ]; then +# echo "Error: Failed to set trust for the key $REHLDS_LINUX_FINGERPRINT" +# exit 4 +# fi +# +# echo "Key $REHLDS_LINUX_FINGERPRINT successfully imported and trusted" +# gpg --list-keys +# +# #export for global use +# echo "REHLDS_LINUX_FINGERPRINT=$REHLDS_LINUX_FINGERPRINT" >> $GITHUB_ENV +# shell: bash +# +# - name: Find and Sign Files +# run: | +# +# # Define directory containing files +# TARGET_DIR="publish/bin" +# +# # Find and sign each file +# find "$TARGET_DIR" -type f -name "*" | while read -r FILE; do +# echo "Signing $FILE..." +# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE" +# if [ $? -ne 0 ]; then +# echo "Error: Failed to sign $FILE" +# exit 4 +# fi +# echo "$FILE signed successfully." +# done +# shell: bash +# +# - name: Verify Signatures +# run: | +# +# # Verify the generated signatures +# TARGET_DIR="publish/bin" +# find "$TARGET_DIR" -type f -not -name "*.asc" | while read -r FILE; do +# echo "Verifying signature for $FILE..." +# gpg --verify "$FILE.asc" "$FILE" +# if [ $? -ne 0 ]; then +# echo "Error: Signature verification failed for $FILE" +# exit 5 +# fi +# echo "Signature for $FILE is valid." +# done +# shell: bash +# +# publish: +# name: 'Publish' +# runs-on: ubuntu-24.04 +# needs: [windows, testdemos, linux] +# +# steps: +# - name: Deploying linux artifacts +# uses: actions/download-artifact@v4 +# with: +# name: linux32 +# +# - name: Deploying windows artifacts +# uses: actions/download-artifact@v4 +# with: +# name: win32 +# +# - name: Reading appversion.h +# run: | +# if [ -e appversion.h ]; then +# APP_VERSION=$(cat appversion.h | grep -wi '#define APP_VERSION_STRD' | sed -e 's/#define APP_VERSION_STRD[ \t\r\n\v\f]\+\(.*\)/\1/i' -e 's/\r//g') +# if [ $? -ne 0 ]; then +# APP_VERSION="" +# else +# # Remove quotes +# APP_VERSION=$(echo $APP_VERSION | xargs) +# echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV +# fi +# fi +# rm -f appversion.h +# +# - name: Final signing and Packaging bin/dbg +# id: packaging-job +# if: | +# github.event_name == 'release' && +# github.event.action == 'published' && +# startsWith(github.ref, 'refs/tags/') +# run: | +# +# # new runner, niw signs +# echo "${{ secrets.REHLDS_PUB_ASC }}" > "${{ secrets.REHLDS_PUB_ASC_FILE }}" +# echo "${{ secrets.REHLDS_KEY_ASC }}" > "${{ secrets.REHLDS_KEY_ASC_FILE }}" +# gpg --batch --yes --import "${{ secrets.REHLDS_PUB_ASC_FILE }}" +# gpg --batch --yes --import "${{ secrets.REHLDS_KEY_ASC_FILE }}" +# REHLDS_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10) +# echo "$REHLDS_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust +# echo "REHLDS_LINUX_FINGERPRINT=$REHLDS_LINUX_FINGERPRINT" >> $GITHUB_ENV +# +# sign_file() { +# local file=$1 +# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$file" +# if [ $? -ne 0 ]; then +# echo "Error: Failed to sign $file" +# exit 2 +# fi +# echo "$file signed successfully." +# } +# +# # Pack and sign final archive +# 7z a -tzip rehlds-bin-${{ env.APP_VERSION }}.zip bin/ hlsdk/ +# sign_file "rehlds-bin-${{ env.APP_VERSION }}.zip" +# +# # Pack and sign final archive +# 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -aoa rehlds-dbg-${{ env.APP_VERSION }}.7z debug/ +# sign_file "rehlds-dbg-${{ env.APP_VERSION }}.7z" +# +# # Find and sign each win32 files, linux files already signed +# find ./bin/win32 -type f -name "*" | while read -r FILE; do +# echo "Signing $FILE..." +# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE" +# if [ $? -ne 0 ]; then +# echo "Error: Failed to sign $FILE" +# exit 1 +# fi +# echo "$FILE signed successfully." +# done +# # Find and sign each PDB files +# find ./debug -type f -name "*" | while read -r FILE; do +# echo "Signing $FILE..." +# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE" +# if [ $? -ne 0 ]; then +# echo "Error: Failed to sign $FILE" +# exit 3 +# fi +# echo "$FILE signed successfully." +# done +# +# shell: bash \ No newline at end of file