Skip to content

Commit

Permalink
added full signing example of gpg signing
Browse files Browse the repository at this point in the history 
moved away from this pr: https://github.com/rehlds/ReHLDS/actions/runs/12416117825/job/34664003176?pr=1069
  • Loading branch information
@stamepicmorg
stamepicmorg committed Dec 19, 2024
1 parent 953ddb2 commit 300e468
Showing 1 changed file with 185 additions and 0 deletions.
185 changes: 185 additions & 0 deletions .github/workflows/gpg-signing.yml.example
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
# linux:
# name: 'Linux'
# runs-on: ubuntu-24.04
#
# steps:
# - name: Checkout
# uses: actions/checkout@v4
# with:
# fetch-depth: 0
#
# - name: Install dependencies
# run: |
# dpkg --add-architecture i386
# apt-get update
# apt-get install -y \
# gcc-multilib g++-multilib \
# build-essential \
# libc6-dev libc6-dev-i386 \
# git cmake rsync \
# g++ gcc
#
#
# - name: GPG Import
# run: |
# echo "${{ secrets.REHLDS_PUB_ASC }}" > "${{ secrets.REHLDS_PUB_ASC_FILE }}"
# echo "${{ secrets.REHLDS_KEY_ASC }}" > "${{ secrets.REHLDS_KEY_ASC_FILE }}"
#
# # Import the public key
# gpg --batch --yes --import "${{ secrets.REHLDS_PUB_ASC_FILE }}"
# if [[ $? -ne 0 ]]; then
# echo "Error: Failed to import the public key"
# exit 1
# fi
#
# # Import the private key
# gpg --batch --yes --import "${{ secrets.REHLDS_KEY_ASC_FILE }}"
# if [[ $? -ne 0 ]]; then
# echo "Error: Failed to import the private key"
# exit 2
# fi
#
# # Extract the fingerprint of the imported public key
# REHLDS_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
#
# # Check if the fingerprint was extracted
# if [[ -z "$REHLDS_LINUX_FINGERPRINT" ]]; then
# echo "Error: Failed to extract the fingerprint of the key"
# exit 3
# fi
#
# # Set the trust level for the key
# echo "$REHLDS_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
# if [ $? -ne 0 ]; then
# echo "Error: Failed to set trust for the key $REHLDS_LINUX_FINGERPRINT"
# exit 4
# fi
#
# echo "Key $REHLDS_LINUX_FINGERPRINT successfully imported and trusted"
# gpg --list-keys
#
# #export for global use
# echo "REHLDS_LINUX_FINGERPRINT=$REHLDS_LINUX_FINGERPRINT" >> $GITHUB_ENV
# shell: bash
#
# - name: Find and Sign Files
# run: |
#
# # Define directory containing files
# TARGET_DIR="publish/bin"
#
# # Find and sign each file
# find "$TARGET_DIR" -type f -name "*" | while read -r FILE; do
# echo "Signing $FILE..."
# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE"
# if [ $? -ne 0 ]; then
# echo "Error: Failed to sign $FILE"
# exit 4
# fi
# echo "$FILE signed successfully."
# done
# shell: bash
#
# - name: Verify Signatures
# run: |
#
# # Verify the generated signatures
# TARGET_DIR="publish/bin"
# find "$TARGET_DIR" -type f -not -name "*.asc" | while read -r FILE; do
# echo "Verifying signature for $FILE..."
# gpg --verify "$FILE.asc" "$FILE"
# if [ $? -ne 0 ]; then
# echo "Error: Signature verification failed for $FILE"
# exit 5
# fi
# echo "Signature for $FILE is valid."
# done
# shell: bash
#
# publish:
# name: 'Publish'
# runs-on: ubuntu-24.04
# needs: [windows, testdemos, linux]
#
# steps:
# - name: Deploying linux artifacts
# uses: actions/download-artifact@v4
# with:
# name: linux32
#
# - name: Deploying windows artifacts
# uses: actions/download-artifact@v4
# with:
# name: win32
#
# - name: Reading appversion.h
# run: |
# if [ -e appversion.h ]; then
# APP_VERSION=$(cat appversion.h | grep -wi '#define APP_VERSION_STRD' | sed -e 's/#define APP_VERSION_STRD[ \t\r\n\v\f]\+\(.*\)/\1/i' -e 's/\r//g')
# if [ $? -ne 0 ]; then
# APP_VERSION=""
# else
# # Remove quotes
# APP_VERSION=$(echo $APP_VERSION | xargs)
# echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV
# fi
# fi
# rm -f appversion.h
#
# - name: Final signing and Packaging bin/dbg
# id: packaging-job
# if: |
# github.event_name == 'release' &&
# github.event.action == 'published' &&
# startsWith(github.ref, 'refs/tags/')
# run: |
#
# # new runner, niw signs
# echo "${{ secrets.REHLDS_PUB_ASC }}" > "${{ secrets.REHLDS_PUB_ASC_FILE }}"
# echo "${{ secrets.REHLDS_KEY_ASC }}" > "${{ secrets.REHLDS_KEY_ASC_FILE }}"
# gpg --batch --yes --import "${{ secrets.REHLDS_PUB_ASC_FILE }}"
# gpg --batch --yes --import "${{ secrets.REHLDS_KEY_ASC_FILE }}"
# REHLDS_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
# echo "$REHLDS_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
# echo "REHLDS_LINUX_FINGERPRINT=$REHLDS_LINUX_FINGERPRINT" >> $GITHUB_ENV
#
# sign_file() {
# local file=$1
# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$file"
# if [ $? -ne 0 ]; then
# echo "Error: Failed to sign $file"
# exit 2
# fi
# echo "$file signed successfully."
# }
#
# # Pack and sign final archive
# 7z a -tzip rehlds-bin-${{ env.APP_VERSION }}.zip bin/ hlsdk/
# sign_file "rehlds-bin-${{ env.APP_VERSION }}.zip"
#
# # Pack and sign final archive
# 7z a -t7z -m0=lzma2 -mx=9 -mfb=64 -aoa rehlds-dbg-${{ env.APP_VERSION }}.7z debug/
# sign_file "rehlds-dbg-${{ env.APP_VERSION }}.7z"
#
# # Find and sign each win32 files, linux files already signed
# find ./bin/win32 -type f -name "*" | while read -r FILE; do
# echo "Signing $FILE..."
# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE"
# if [ $? -ne 0 ]; then
# echo "Error: Failed to sign $FILE"
# exit 1
# fi
# echo "$FILE signed successfully."
# done
# # Find and sign each PDB files
# find ./debug -type f -name "*" | while read -r FILE; do
# echo "Signing $FILE..."
# gpg --batch --yes --detach-sign --armor -u "$REHLDS_LINUX_FINGERPRINT" "$FILE"
# if [ $? -ne 0 ]; then
# echo "Error: Failed to sign $FILE"
# exit 3
# fi
# echo "$FILE signed successfully."
# done
#
# shell: bash

0 comments on commit 300e468

Please sign in to comment.