From f4b73bdc5d2d08b4bac286bd604bd03ce9f6d05a Mon Sep 17 00:00:00 2001 From: Alex Lovell-Troy Date: Tue, 31 Mar 2026 15:10:22 -0400 Subject: [PATCH 1/8] refactor: streamline ephemeral GPG key generation and signing process Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 95 ++++++++++++++++---------------- 1 file changed, 46 insertions(+), 49 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 08276dc..499f51b 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -23,6 +23,10 @@ jobs: image: fedora:latest env: RELEASE_TAG: ${{ github.event.inputs.release_tag }} + EPHEMERAL_KEY_NAME: OpenCHAMI RPM Build + EPHEMERAL_KEY_COMMENT: GitHub Actions ephemeral signing key + EPHEMERAL_KEY_EMAIL: ci+${{ github.run_id }}@build.local + EPHEMERAL_KEY_EXPIRE: 1d steps: - name: Install dependencies @@ -34,18 +38,22 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Import GPG key - run: | - echo "$GPG_PRIVATE_KEY" | base64 --decode | gpg --import --batch --yes - env: - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - + - name: Generate and sign ephemeral key + id: ephemeral_key + uses: OpenCHAMI/gpg-signing-manager/actions/gpg-ephemeral-key@main + with: + subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }} + name: ${{ env.EPHEMERAL_KEY_NAME }} + comment: ${{ env.EPHEMERAL_KEY_COMMENT }} + email: ${{ env.EPHEMERAL_KEY_EMAIL }} + expire: ${{ env.EPHEMERAL_KEY_EXPIRE }} + - name: Show signing subkey expiration shell: bash run: | gpg --list-secret-keys --with-colons \ | awk -F: ' - $1=="ssb" && $12 ~ /s/ { + ($1=="ssb" || $1=="sec") && $5 == "${{ steps.ephemeral_key.outputs.repo-signing-keyid }}" { keyid = $5 expires = $7 if (expires == "" || expires == "0") { @@ -70,8 +78,14 @@ jobs: VERSION=0.0.0 fi echo "VERSION=${VERSION}" >> $GITHUB_ENV + echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "Version is ${VERSION}" + - name: Export ephemeral public key + shell: bash + run: | + printf '%s' '${{ steps.ephemeral_key.outputs.ephemeral-public-key }}' | base64 --decode > public_gpg_key.asc + - name: Setup RPM build environment run: | rpmdev-setuptree @@ -80,109 +94,92 @@ jobs: - name: Create source tarball run: | - mkdir -p ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }} - cp -r ./* ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}/ - tar -czf ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz \ - -C ~/rpmbuild/SOURCES openchami-${{ env.VERSION }} \ - --transform "s|openchami-${{ env.VERSION }}-${{ env.COMMIT_SHA }}|openchami-${{ env.VERSION }}|" + mkdir -p ~/rpmbuild/SOURCES/openchami-${VERSION} + cp -r ./* ~/rpmbuild/SOURCES/openchami-${VERSION}/ + tar -czf ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz \ + -C ~/rpmbuild/SOURCES openchami-${VERSION} - name: Sign source tarball run: | - echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \ + gpg --batch --yes \ --armor --detach-sign \ - --local-user admin@openchami.org \ - --output ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz.asc \ - ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz - env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + --local-user '${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}' \ + --output ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz.asc \ + ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz - name: Build RPM package run: | rpmbuild -ba ~/rpmbuild/SPECS/*.spec \ - --define "version ${{ env.VERSION }}" \ + --define "version $VERSION" \ --define "rel 1" - name: Sign RPM packages run: | for rpm in $(find ~/rpmbuild/RPMS/ -type f -name "*.rpm"); do - echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \ + gpg --batch --yes \ + --local-user '${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}' \ --detach-sign --armor "$rpm" - rpm --define "_gpg_name admin@openchami.org" --addsign "$rpm" + rpm --define "_gpg_name ${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}" --addsign "$rpm" done - env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Find RPM file - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' id: find_rpm run: | rpm_file=$(ls ~/rpmbuild/RPMS/noarch/*.rpm) echo "rpm_file=${rpm_file}" >> $GITHUB_ENV - echo "::set-output name=path::${rpm_file}" + echo "path=${rpm_file}" >> "$GITHUB_OUTPUT" - name: Compute RPM Checksum - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' id: compute_checksum run: | rpm_file=$(ls ~/rpmbuild/RPMS/noarch/*.rpm) checksum=$(sha256sum "$rpm_file" | awk '{print $1}') echo "checksum=${checksum}" >> $GITHUB_ENV - echo "::set-output name=checksum::${checksum}" - - - name: Export Public GPG Key - if: env.VERSION != '0.0.0' - run: | - gpg --armor --export admin@openchami.org > public_gpg_key.asc - - - name: Get Public GPG Key Content - if: env.VERSION != '0.0.0' - id: get_pubkey - run: | - key=$(cat public_gpg_key.asc) - escaped_key=$(echo "$key" | sed ':a;N;$!ba;s/\n/\\n/g') - echo "::set-output name=pubkey::${escaped_key}" + echo "checksum=${checksum}" >> "$GITHUB_OUTPUT" - name: Genereate release notes - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' id: gen_rel_notes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | { - echo '# OpenCHAMI v${{ env.VERSION }}' + echo '# OpenCHAMI v${{ steps.get_version.outputs.version }}' echo '' echo '**RPM SHA256 Checksum:**' echo '`${{ steps.compute_checksum.outputs.checksum }}`' echo '' - gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" -F tag_name='v${{ env.VERSION }}' --jq .body + gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" -F tag_name='v${{ steps.get_version.outputs.version }}' --jq .body } > CHANGELOG.md - name: Create GitHub Release - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' id: create_release uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - tag_name: v${{ env.VERSION }} - release_name: v${{ env.VERSION }} + tag_name: v${{ steps.get_version.outputs.version }} + release_name: v${{ steps.get_version.outputs.version }} draft: false prerelease: false body_path: CHANGELOG.md - name: Upload RPM to GitHub Release - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: ${{ steps.find_rpm.outputs.path }} - asset_name: openchami-${{ env.VERSION }}.rpm + asset_name: openchami-${{ steps.get_version.outputs.version }}.rpm asset_content_type: application/x-rpm - name: Upload Public GPG Key to GitHub Release - if: env.VERSION != '0.0.0' + if: steps.get_version.outputs.version != '0.0.0' uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From bab51454bd51a0d72f628587fc1d1aa76ef9e5da Mon Sep 17 00:00:00 2001 From: Alex Lovell-Troy Date: Tue, 31 Mar 2026 16:01:42 -0400 Subject: [PATCH 2/8] refactor: update GPG key handling for RPM signing process Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 51 ++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 499f51b..9ec9038 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -23,10 +23,6 @@ jobs: image: fedora:latest env: RELEASE_TAG: ${{ github.event.inputs.release_tag }} - EPHEMERAL_KEY_NAME: OpenCHAMI RPM Build - EPHEMERAL_KEY_COMMENT: GitHub Actions ephemeral signing key - EPHEMERAL_KEY_EMAIL: ci+${{ github.run_id }}@build.local - EPHEMERAL_KEY_EXPIRE: 1d steps: - name: Install dependencies @@ -38,22 +34,39 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Generate and sign ephemeral key - id: ephemeral_key - uses: OpenCHAMI/gpg-signing-manager/actions/gpg-ephemeral-key@main - with: - subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }} - name: ${{ env.EPHEMERAL_KEY_NAME }} - comment: ${{ env.EPHEMERAL_KEY_COMMENT }} - email: ${{ env.EPHEMERAL_KEY_EMAIL }} - expire: ${{ env.EPHEMERAL_KEY_EXPIRE }} + - name: Import repo signing key + run: | + printf '%s' '${{ secrets.GPG_SUBKEY_B64 }}' | base64 --decode > repo-signing-subkey.asc + gpg --batch --import repo-signing-subkey.asc + + - name: Discover repo signing key + id: repo_key + shell: bash + run: | + keyid=$(gpg --list-secret-keys --with-colons | awk -F: '($1=="sec" || $1=="ssb") && index($12, "s") { print $5; exit }') + if [ -z "$keyid" ]; then + echo 'Could not find imported signing-capable secret key' >&2 + exit 1 + fi + + fingerprint=$(gpg --list-secret-keys --with-colons | awk -F: -v keyid="$keyid" ' + ($1=="sec" || $1=="ssb") && $5==keyid { capture=1; next } + capture && $1=="fpr" { print $10; exit } + ') + if [ -z "$fingerprint" ]; then + echo 'Could not determine imported signing key fingerprint' >&2 + exit 1 + fi + + echo "keyid=${keyid}" >> "$GITHUB_OUTPUT" + echo "fingerprint=${fingerprint}" >> "$GITHUB_OUTPUT" - name: Show signing subkey expiration shell: bash run: | gpg --list-secret-keys --with-colons \ | awk -F: ' - ($1=="ssb" || $1=="sec") && $5 == "${{ steps.ephemeral_key.outputs.repo-signing-keyid }}" { + ($1=="ssb" || $1=="sec") && $5 == "${{ steps.repo_key.outputs.keyid }}" { keyid = $5 expires = $7 if (expires == "" || expires == "0") { @@ -81,10 +94,10 @@ jobs: echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "Version is ${VERSION}" - - name: Export ephemeral public key + - name: Export repo public key shell: bash run: | - printf '%s' '${{ steps.ephemeral_key.outputs.ephemeral-public-key }}' | base64 --decode > public_gpg_key.asc + gpg --armor --export '${{ steps.repo_key.outputs.fingerprint }}' > public_gpg_key.asc - name: Setup RPM build environment run: | @@ -103,7 +116,7 @@ jobs: run: | gpg --batch --yes \ --armor --detach-sign \ - --local-user '${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}' \ + --local-user '${{ steps.repo_key.outputs.keyid }}' \ --output ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz.asc \ ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz @@ -117,9 +130,9 @@ jobs: run: | for rpm in $(find ~/rpmbuild/RPMS/ -type f -name "*.rpm"); do gpg --batch --yes \ - --local-user '${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}' \ + --local-user '${{ steps.repo_key.outputs.keyid }}' \ --detach-sign --armor "$rpm" - rpm --define "_gpg_name ${{ steps.ephemeral_key.outputs.ephemeral-fingerprint }}" --addsign "$rpm" + rpm --define "_gpg_name ${{ steps.repo_key.outputs.keyid }}" --addsign "$rpm" done - name: Find RPM file From 98d122fc9f88a24dafe885cf4a2750a6c5cf932b Mon Sep 17 00:00:00 2001 From: Alex Lovell-Troy Date: Tue, 31 Mar 2026 16:06:46 -0400 Subject: [PATCH 3/8] refactor: enhance RPM signing configuration and verification process Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 35 ++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 9ec9038..92a6509 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -99,6 +99,21 @@ jobs: run: | gpg --armor --export '${{ steps.repo_key.outputs.fingerprint }}' > public_gpg_key.asc + - name: Configure RPM signing + shell: bash + run: | + cat > ~/.rpmmacros <&2 + exit 1 + fi + - name: Find RPM file if: steps.get_version.outputs.version != '0.0.0' id: find_rpm From 0cabb72c837eb3a23d7fd9b6b1117f794cc04bd2 Mon Sep 17 00:00:00 2001 From: Alex Lovell-Troy Date: Tue, 31 Mar 2026 16:11:32 -0400 Subject: [PATCH 4/8] refactor: improve RPM signing and verification process with enhanced GPG configurations Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 42 ++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 92a6509..4d04869 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -104,15 +104,20 @@ jobs: run: | cat > ~/.rpmmacros <&2 + exit 1 + fi - name: Verify RPM signatures shell: bash run: | found=0 - for rpm in $(find ~/rpmbuild/RPMS/ -type f -name "*.rpm"); do + while IFS= read -r -d '' rpm_file; do found=1 - rpm --checksig -v "$rpm" - done + output=$(rpm --checksig -v "$rpm_file" 2>&1) + printf '%s\n' "$output" + + if printf '%s\n' "$output" | grep -q 'SIGNATURES NOT OK'; then + echo "RPM signature verification failed for $rpm_file" >&2 + exit 1 + fi + + if ! printf '%s\n' "$output" | grep -Eiq 'Key ID|RSA/SHA|RSA/sha|EdDSA|pgp'; then + echo "RPM appears unsigned: $rpm_file" >&2 + exit 1 + fi + done < <(find ~/rpmbuild/RPMS/ -type f -name "*.rpm" -print0) if [ "$found" -eq 0 ]; then echo 'No RPM packages were produced to verify' >&2 From 2b7507528ddd3feb2ad0c8404f6169578660608a Mon Sep 17 00:00:00 2001 From: Alex Lovell-Troy Date: Tue, 31 Mar 2026 16:44:23 -0400 Subject: [PATCH 5/8] refactor: enhance RPM signing workflow with improved subkey management and documentation Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 71 +++++++++----------------------- README.md | 7 ++++ 2 files changed, 26 insertions(+), 52 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 4d04869..4c17c19 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -34,39 +34,25 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Import repo signing key - run: | - printf '%s' '${{ secrets.GPG_SUBKEY_B64 }}' | base64 --decode > repo-signing-subkey.asc - gpg --batch --import repo-signing-subkey.asc + - name: Check signing subkey expiration + uses: OpenCHAMI/gpg-signing-manager/actions/check-subkey-expiration@main + with: + subkey-armored-b64: ${{ secrets.GPG_SUBKEY_B64 }} + warn-days: '30' - - name: Discover repo signing key + - name: Setup RPM signing id: repo_key - shell: bash - run: | - keyid=$(gpg --list-secret-keys --with-colons | awk -F: '($1=="sec" || $1=="ssb") && index($12, "s") { print $5; exit }') - if [ -z "$keyid" ]; then - echo 'Could not find imported signing-capable secret key' >&2 - exit 1 - fi - - fingerprint=$(gpg --list-secret-keys --with-colons | awk -F: -v keyid="$keyid" ' - ($1=="sec" || $1=="ssb") && $5==keyid { capture=1; next } - capture && $1=="fpr" { print $10; exit } - ') - if [ -z "$fingerprint" ]; then - echo 'Could not determine imported signing key fingerprint' >&2 - exit 1 - fi - - echo "keyid=${keyid}" >> "$GITHUB_OUTPUT" - echo "fingerprint=${fingerprint}" >> "$GITHUB_OUTPUT" + uses: OpenCHAMI/gpg-signing-manager/actions/setup-rpm-signing@main + with: + subkey-armored-b64: ${{ secrets.GPG_SUBKEY_B64 }} + public-key-output: public_gpg_key.asc - name: Show signing subkey expiration shell: bash run: | gpg --list-secret-keys --with-colons \ | awk -F: ' - ($1=="ssb" || $1=="sec") && $5 == "${{ steps.repo_key.outputs.keyid }}" { + ($1=="ssb" || $1=="sec") && $5 == "${{ steps.repo_key.outputs.repo-signing-keyid }}" { keyid = $5 expires = $7 if (expires == "" || expires == "0") { @@ -94,31 +80,6 @@ jobs: echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "Version is ${VERSION}" - - name: Export repo public key - shell: bash - run: | - gpg --armor --export '${{ steps.repo_key.outputs.fingerprint }}' > public_gpg_key.asc - - - name: Configure RPM signing - shell: bash - run: | - cat > ~/.rpmmacros < Date: Wed, 1 Apr 2026 10:54:18 -0400 Subject: [PATCH 6/8] refactor: streamline RPM signing process by improving key management and removing subkey expiration check Signed-off-by: Alex Lovell-Troy --- .github/workflows/build-rpm.yaml | 37 ++++++++++++-------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 4c17c19..a8e8efb 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -45,26 +45,7 @@ jobs: uses: OpenCHAMI/gpg-signing-manager/actions/setup-rpm-signing@main with: subkey-armored-b64: ${{ secrets.GPG_SUBKEY_B64 }} - public-key-output: public_gpg_key.asc - - - name: Show signing subkey expiration - shell: bash - run: | - gpg --list-secret-keys --with-colons \ - | awk -F: ' - ($1=="ssb" || $1=="sec") && $5 == "${{ steps.repo_key.outputs.repo-signing-keyid }}" { - keyid = $5 - expires = $7 - if (expires == "" || expires == "0") { - edate = "never" - } else { - cmd = "date -u -d @" expires " +\"%Y-%m-%d %H:%M:%S UTC\"" - cmd | getline edate - close(cmd) - } - printf "signing subkey %s expires: %s\n", keyid, edate - } - ' + public-key-output: public_gpg_key.asc - name: Get version id: get_version @@ -94,12 +75,18 @@ jobs: -C ~/rpmbuild/SOURCES openchami-${VERSION} - name: Sign source tarball + env: + GPG_SIGNING_KEYID: ${{ steps.repo_key.outputs.repo-signing-keyid }} + GPG_SIGNING_FINGERPRINT: ${{ steps.repo_key.outputs.repo-signing-fingerprint }} run: | + set -euo pipefail unset GPG_TTY + echo "Signing source tarball with key: ${GPG_SIGNING_KEYID} (${GPG_SIGNING_FINGERPRINT})" + gpg --batch --list-secret-keys --keyid-format LONG "${GPG_SIGNING_FINGERPRINT}" gpg --batch --yes \ --no-tty --pinentry-mode loopback \ --armor --detach-sign \ - --local-user '${{ steps.repo_key.outputs.repo-signing-keyid }}' \ + --local-user "${GPG_SIGNING_KEYID}" \ --output ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz.asc \ ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz @@ -111,10 +98,14 @@ jobs: - name: Sign RPM packages shell: bash + env: + GPG_SIGNING_KEYID: ${{ steps.repo_key.outputs.repo-signing-keyid }} + GPG_SIGNING_FINGERPRINT: ${{ steps.repo_key.outputs.repo-signing-fingerprint }} run: | set -euo pipefail unset GPG_TTY - echo "Using RPM signing fingerprint: ${{ steps.repo_key.outputs.repo-signing-fingerprint }}" + echo "Using RPM signing key: ${GPG_SIGNING_KEYID} (${GPG_SIGNING_FINGERPRINT})" + gpg --batch --list-secret-keys --keyid-format LONG "${GPG_SIGNING_FINGERPRINT}" echo 'Configured ~/.rpmmacros:' cat ~/.rpmmacros @@ -122,7 +113,7 @@ jobs: while IFS= read -r -d '' rpm_file; do found=1 echo "Signing RPM: $rpm_file" - rpmsign --key-id '${{ steps.repo_key.outputs.repo-signing-fingerprint }}' --addsign "$rpm_file" + rpmsign --key-id "${GPG_SIGNING_KEYID}" --addsign "$rpm_file" done < <(find ~/rpmbuild/RPMS/ -type f -name "*.rpm" -print0) if [ "$found" -eq 0 ]; then From 131c9a624bfc23a27b194406b55cade50876c728 Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Mon, 6 Apr 2026 10:08:12 -0600 Subject: [PATCH 7/8] ci: eliminate version variable redundancy Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- .github/workflows/build-rpm.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index a8e8efb..80bfbae 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -57,7 +57,6 @@ jobs: else VERSION=0.0.0 fi - echo "VERSION=${VERSION}" >> $GITHUB_ENV echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "Version is ${VERSION}" @@ -69,10 +68,10 @@ jobs: - name: Create source tarball run: | - mkdir -p ~/rpmbuild/SOURCES/openchami-${VERSION} - cp -r ./* ~/rpmbuild/SOURCES/openchami-${VERSION}/ - tar -czf ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz \ - -C ~/rpmbuild/SOURCES openchami-${VERSION} + mkdir -p ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }} + cp -r ./* ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }}/ + tar -czf ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }}.tar.gz \ + -C ~/rpmbuild/SOURCES openchami-${{ steps.get_version.outputs.version }} - name: Sign source tarball env: @@ -87,13 +86,13 @@ jobs: --no-tty --pinentry-mode loopback \ --armor --detach-sign \ --local-user "${GPG_SIGNING_KEYID}" \ - --output ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz.asc \ - ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz + --output ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }}.tar.gz.asc \ + ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }}.tar.gz - name: Build RPM package run: | rpmbuild -ba ~/rpmbuild/SPECS/*.spec \ - --define "version $VERSION" \ + --define "version ${{ steps.get_version.outputs.version }}" \ --define "rel 1" - name: Sign RPM packages From 366314f347c368c080fd9f227a25ea7a4d4660ce Mon Sep 17 00:00:00 2001 From: Devon Bautista <17506592+synackd@users.noreply.github.com> Date: Mon, 6 Apr 2026 11:49:36 -0600 Subject: [PATCH 8/8] ci: add gpg debugging on stderr for signing Signed-off-by: Devon Bautista <17506592+synackd@users.noreply.github.com> --- .github/workflows/build-rpm.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-rpm.yaml b/.github/workflows/build-rpm.yaml index 80bfbae..e9b356d 100644 --- a/.github/workflows/build-rpm.yaml +++ b/.github/workflows/build-rpm.yaml @@ -84,6 +84,7 @@ jobs: gpg --batch --list-secret-keys --keyid-format LONG "${GPG_SIGNING_FINGERPRINT}" gpg --batch --yes \ --no-tty --pinentry-mode loopback \ + --status-fd 2 \ --armor --detach-sign \ --local-user "${GPG_SIGNING_KEYID}" \ --output ~/rpmbuild/SOURCES/openchami-${{ steps.get_version.outputs.version }}.tar.gz.asc \