From e2b13573ae5910864ea68e447c2897b50c51e020 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 14 Aug 2025 10:25:11 +0300 Subject: [PATCH 1/5] feat(forge): rpm signing --- .github/actions/build-electron/action.yml | 6 ++++++ .github/workflows/nightly.yml | 3 ++- .github/workflows/release.yml | 1 + apps/desktop/electron-forge/forge.config.ts | 3 ++- 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index 93772d7d9..da4e94507 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -55,6 +55,12 @@ runs: security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain + - name: Import GPG signing key + if: inputs.os == 'linux' + shell: ${{ inputs.shell }} + run: | + echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import + - name: Set up Python and other macOS dependencies if: ${{ inputs.os == 'macos' }} shell: ${{ inputs.shell }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index cfed9c4fe..03a9b5262 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -76,6 +76,7 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} WINDOWS_SIGN_EXECUTABLE: ${{ vars.WINDOWS_SIGN_EXECUTABLE }} + GPG_SIGNING_KEY: ${{ secrets.GPG_SIGN_KEY }} - name: Publish release uses: softprops/action-gh-release@v2.3.2 @@ -97,7 +98,7 @@ jobs: path: apps/desktop/upload nightly-server: - if: github.repository == 'TriliumNext/Trilium' + if: github.repository == 'TriliumNext/Trilium' name: Deploy server nightly strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 041e7a437..20161630f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,6 +58,7 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} WINDOWS_SIGN_EXECUTABLE: ${{ vars.WINDOWS_SIGN_EXECUTABLE }} + GPG_SIGNING_KEY: ${{ secrets.GPG_SIGN_KEY }} - name: Upload the artifact uses: actions/upload-artifact@v4 diff --git a/apps/desktop/electron-forge/forge.config.ts b/apps/desktop/electron-forge/forge.config.ts index b433ee4d7..991a58dfd 100644 --- a/apps/desktop/electron-forge/forge.config.ts +++ b/apps/desktop/electron-forge/forge.config.ts @@ -106,7 +106,8 @@ const config: ForgeConfig = { { name: "@electron-forge/maker-rpm", config: { - options: baseLinuxMakerConfigOptions + options: baseLinuxMakerConfigOptions, + args: ["--rpm-sign"] } }, { From d33d27ee824d07b4c6373f05668078558a0e1e82 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 14 Aug 2025 11:45:59 +0300 Subject: [PATCH 2/5] feat(forge): validate rpm signing --- .github/actions/build-electron/action.yml | 25 +++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index da4e94507..e48e2cc27 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -55,12 +55,6 @@ runs: security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain - - name: Import GPG signing key - if: inputs.os == 'linux' - shell: ${{ inputs.shell }} - run: | - echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import - - name: Set up Python and other macOS dependencies if: ${{ inputs.os == 'macos' }} shell: ${{ inputs.shell }} @@ -168,3 +162,22 @@ runs: echo "Found ZIP: $zip_file" echo "Note: ZIP files are not code signed, but their contents should be" fi + + - name: Import GPG signing key + if: inputs.os == 'linux' + shell: ${{ inputs.shell }} + run: | + echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import + + # Import the key into RPM for verification + gpg --export -a > pubkey + rpm --import pubkey + rm pubkey + + # Validate code signing + rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit) + if ! rpm -K "$rpm_file" | grep -q "digests signatures OK"; then + echo .rpm file not signed + rpm -Kv "$rpm_file" + exit 1 + fi From b66b4dec83c2131f700f26d5d800acb47e7c2be5 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 14 Aug 2025 12:04:12 +0300 Subject: [PATCH 3/5] feat(forge): proper rpm signing --- .github/actions/build-electron/action.yml | 5 ++++- apps/desktop/electron-forge/forge.config.ts | 3 +-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index e48e2cc27..61e96e50f 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -174,8 +174,11 @@ runs: rpm --import pubkey rm pubkey - # Validate code signing + # Sign the RPM rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit) + rpmsign --define "_gpg_name Trilium Notes Signing Key " --addsign "$rpm_file" + + # Validate code signing if ! rpm -K "$rpm_file" | grep -q "digests signatures OK"; then echo .rpm file not signed rpm -Kv "$rpm_file" diff --git a/apps/desktop/electron-forge/forge.config.ts b/apps/desktop/electron-forge/forge.config.ts index 991a58dfd..b433ee4d7 100644 --- a/apps/desktop/electron-forge/forge.config.ts +++ b/apps/desktop/electron-forge/forge.config.ts @@ -106,8 +106,7 @@ const config: ForgeConfig = { { name: "@electron-forge/maker-rpm", config: { - options: baseLinuxMakerConfigOptions, - args: ["--rpm-sign"] + options: baseLinuxMakerConfigOptions } }, { From 50568704cab4b843ed68a6d75d01055c0f7fae76 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 14 Aug 2025 12:40:19 +0300 Subject: [PATCH 4/5] feat(forge): minor improvements to RPM signing --- .github/actions/build-electron/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index 61e96e50f..eb5ef6737 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -163,7 +163,7 @@ runs: echo "Note: ZIP files are not code signed, but their contents should be" fi - - name: Import GPG signing key + - name: Sign the RPM if: inputs.os == 'linux' shell: ${{ inputs.shell }} run: | @@ -177,10 +177,10 @@ runs: # Sign the RPM rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit) rpmsign --define "_gpg_name Trilium Notes Signing Key " --addsign "$rpm_file" + rpm -Kv "$rpm_file" # Validate code signing if ! rpm -K "$rpm_file" | grep -q "digests signatures OK"; then echo .rpm file not signed - rpm -Kv "$rpm_file" exit 1 fi From 649a43c9787b708ec68eca6f798f1e148a2c4eda Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Thu, 14 Aug 2025 12:45:18 +0300 Subject: [PATCH 5/5] fix(forge): RPM signing not done on the right file --- .github/actions/build-electron/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml index eb5ef6737..add8f3156 100644 --- a/.github/actions/build-electron/action.yml +++ b/.github/actions/build-electron/action.yml @@ -175,7 +175,7 @@ runs: rm pubkey # Sign the RPM - rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit) + rpm_file=$(find ./apps/desktop/upload -name "*.rpm" -print -quit) rpmsign --define "_gpg_name Trilium Notes Signing Key " --addsign "$rpm_file" rpm -Kv "$rpm_file"