gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-12-04 22:44:25 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

feat(forge): validate rpm signing

Browse Source
This commit is contained in:
Elian Doran 2025-08-14 11:45:59 +03:00
parent e2b13573ae
commit d33d27ee82
No known key found for this signature in database
1 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.github/actions/build-electron/action.yml vendored
View File

@ -55,12 +55,6 @@ runs:
security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain
security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain
- name: Import GPG signing key
if: inputs.os == 'linux'
shell: ${{ inputs.shell }}
run: |
echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
- name: Set up Python and other macOS dependencies - name: Set up Python and other macOS dependencies
if: ${{ inputs.os == 'macos' }} if: ${{ inputs.os == 'macos' }}
shell: ${{ inputs.shell }} shell: ${{ inputs.shell }}
@ -168,3 +162,22 @@ runs:
echo "Found ZIP: $zip_file" echo "Found ZIP: $zip_file"
echo "Note: ZIP files are not code signed, but their contents should be" echo "Note: ZIP files are not code signed, but their contents should be"
fi fi
- name: Import GPG signing key
if: inputs.os == 'linux'
shell: ${{ inputs.shell }}
run: |
echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
# Import the key into RPM for verification
gpg --export -a > pubkey
rpm --import pubkey
rm pubkey
# Validate code signing
rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit)
if ! rpm -K "$rpm_file" | grep -q "digests signatures OK"; then
echo .rpm file not signed
rpm -Kv "$rpm_file"
exit 1
fi