mirror of
https://github.com/coder/coder.git
synced 2025-07-12 00:14:10 +00:00
feat: sign coder binaries with the release key using GPG (#18774)
### Description
This PR introduces GPG signing for all Coder *slim-binaries*.
Detached signatures will allow users to verify the integrity and
authenticity of the binaries they download.
### Changes
* `scripts/sign_with_gpg.sh`: New script to sign a given binary
using GPG. It imports the release key, signs the binary, and
verifies the signature.
* `scripts/build_go.sh`: Updated to call `sign_with_gpg.sh` when the
`CODER_SIGN_GPG` environment variable is set to 1.
* `.github/workflows/release.yaml`: The` CODER_SIGN_GPG` environment
variable is now set to 1 during the release build, enabling GPG
signing for all release binaries.
* `.github/workflows/ci.yaml`: The `CODER_SIGN_GPG` environment
variable is now set to 1 during the CI build, enabling GPG
signing for all CI binaries.
* `Makefile`: Detached signatures are moved to the `/site/out/bin/
`directory
This commit is contained in:
Jakub Domeracki
GitHub
2
.github/workflows/ci.yaml
vendored
2
.github/workflows/ci.yaml
vendored
@ -1137,6 +1137,8 @@ jobs:
|
||||
# do (see above).
|
||||
CODER_SIGN_WINDOWS: "1"
|
||||
CODER_WINDOWS_RESOURCES: "1"
|
||||
CODER_SIGN_GPG: "1"
|
||||
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
|
||||
EV_KEY: ${{ secrets.EV_KEY }}
|
||||
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
|
||||
EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
|
||||
|
||||
2
.github/workflows/release.yaml
vendored
2
.github/workflows/release.yaml
vendored
@ -323,6 +323,8 @@ jobs:
|
||||
env:
|
||||
CODER_SIGN_WINDOWS: "1"
|
||||
CODER_SIGN_DARWIN: "1"
|
||||
CODER_SIGN_GPG: "1"
|
||||
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
|
||||
CODER_WINDOWS_RESOURCES: "1"
|
||||
AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
|
||||
AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
|
||||
|
||||
4
Makefile
4
Makefile
@ -252,6 +252,10 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
|
||||
fi
|
||||
|
||||
cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
|
||||
|
||||
if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then
|
||||
cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc"
|
||||
fi
|
||||
fi
|
||||
|
||||
# This task builds Coder Desktop dylibs
|
||||
|
||||
@ -20,6 +20,9 @@
|
||||
# binary will be signed using ./sign_darwin.sh. Read that file for more details
|
||||
# on the requirements.
|
||||
#
|
||||
# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh.
|
||||
# Read that file for more details on the requirements.
|
||||
#
|
||||
# If the --agpl parameter is specified, builds only the AGPL-licensed code (no
|
||||
# Coder enterprise features).
|
||||
#
|
||||
@ -41,6 +44,7 @@ slim="${CODER_SLIM_BUILD:-0}"
|
||||
agpl="${CODER_BUILD_AGPL:-0}"
|
||||
sign_darwin="${CODER_SIGN_DARWIN:-0}"
|
||||
sign_windows="${CODER_SIGN_WINDOWS:-0}"
|
||||
sign_gpg="${CODER_SIGN_GPG:-0}"
|
||||
boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
|
||||
dylib=0
|
||||
windows_resources="${CODER_WINDOWS_RESOURCES:-0}"
|
||||
@ -85,6 +89,10 @@ while true; do
|
||||
sign_windows=1
|
||||
shift
|
||||
;;
|
||||
--sign-gpg)
|
||||
sign_gpg=1
|
||||
shift
|
||||
;;
|
||||
--boringcrypto)
|
||||
boringcrypto=1
|
||||
shift
|
||||
@ -319,4 +327,9 @@ if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then
|
||||
execrelative ./sign_windows.sh "$output_path" 1>&2
|
||||
fi
|
||||
|
||||
# Platform agnostic signing
|
||||
if [[ "$sign_gpg" == 1 ]]; then
|
||||
execrelative ./sign_with_gpg.sh "$output_path" 1>&2
|
||||
fi
|
||||
|
||||
echo "$output_path"
|
||||
|
||||
@ -129,26 +129,9 @@ if [[ "$dry_run" == 0 ]] && [[ "${CODER_GPG_RELEASE_KEY_BASE64:-}" != "" ]]; the
|
||||
log "--- Signing checksums file"
|
||||
log
|
||||
|
||||
# Import the GPG key.
|
||||
old_gnupg_home="${GNUPGHOME:-}"
|
||||
gnupg_home_temp="$(mktemp -d)"
|
||||
export GNUPGHOME="$gnupg_home_temp"
|
||||
echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --import 1>&2
|
||||
|
||||
# Sign the checksums file. This generates a file in the same directory and
|
||||
# with the same name as the checksums file but ending in ".asc".
|
||||
#
|
||||
# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
|
||||
# ask for a passphrase). The key we import above is not password protected.
|
||||
true | gpg --detach-sign --armor "${temp_dir}/${checksum_file}" 1>&2
|
||||
|
||||
rm -rf "$gnupg_home_temp"
|
||||
unset GNUPGHOME
|
||||
if [[ "$old_gnupg_home" != "" ]]; then
|
||||
export GNUPGHOME="$old_gnupg_home"
|
||||
fi
|
||||
|
||||
execrelative ../sign_with_gpg.sh "${temp_dir}/${checksum_file}"
|
||||
signed_checksum_path="${temp_dir}/${checksum_file}.asc"
|
||||
|
||||
if [[ ! -e "$signed_checksum_path" ]]; then
|
||||
log "Signed checksum file not found: ${signed_checksum_path}"
|
||||
log
|
||||
|
||||
59
scripts/sign_with_gpg.sh
Executable file
59
scripts/sign_with_gpg.sh
Executable file
@ -0,0 +1,59 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# This script signs a given binary using GPG.
|
||||
# It expects the binary to be signed as the first argument.
|
||||
#
|
||||
# Usage: ./sign_with_gpg.sh path/to/binary
|
||||
#
|
||||
# On success, the input file will be signed using the GPG key and the signature output file will moved to /site/out/bin/ (happens in the Makefile)
|
||||
#
|
||||
# Depends on the GPG utility. Requires the following environment variables to be set:
|
||||
# - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.
|
||||
|
||||
set -euo pipefail
|
||||
# shellcheck source=scripts/lib.sh
|
||||
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
|
||||
|
||||
requiredenvs CODER_GPG_RELEASE_KEY_BASE64
|
||||
|
||||
FILE_TO_SIGN="$1"
|
||||
|
||||
if [[ -z "$FILE_TO_SIGN" ]]; then
|
||||
error "Usage: $0 <file_to_sign>"
|
||||
fi
|
||||
|
||||
if [[ ! -f "$FILE_TO_SIGN" ]]; then
|
||||
error "File not found: $FILE_TO_SIGN"
|
||||
fi
|
||||
|
||||
# Import the GPG key.
|
||||
old_gnupg_home="${GNUPGHOME:-}"
|
||||
gnupg_home_temp="$(mktemp -d)"
|
||||
export GNUPGHOME="$gnupg_home_temp"
|
||||
|
||||
# Ensure GPG uses the temporary directory
|
||||
echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --homedir "$gnupg_home_temp" --import 1>&2
|
||||
|
||||
# Sign the binary. This generates a file in the same directory and
|
||||
# with the same name as the binary but ending in ".asc".
|
||||
#
|
||||
# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
|
||||
# ask for a passphrase). The key we import above is not password protected.
|
||||
true | gpg --homedir "$gnupg_home_temp" --detach-sign --armor "$FILE_TO_SIGN" 1>&2
|
||||
|
||||
# Verify the signature and capture the exit status
|
||||
gpg --homedir "$gnupg_home_temp" --verify "${FILE_TO_SIGN}.asc" "$FILE_TO_SIGN" 1>&2
|
||||
verification_result=$?
|
||||
|
||||
# Clean up the temporary GPG home
|
||||
rm -rf "$gnupg_home_temp"
|
||||
unset GNUPGHOME
|
||||
if [[ "$old_gnupg_home" != "" ]]; then
|
||||
export GNUPGHOME="$old_gnupg_home"
|
||||
fi
|
||||
|
||||
if [[ $verification_result -eq 0 ]]; then
|
||||
echo "${FILE_TO_SIGN}.asc"
|
||||
else
|
||||
error "Signature verification failed!"
|
||||
fi
|
||||
Reference in New Issue
Block a user