synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-18 14:17:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: sign coder binaries with the release key using GPG (#18774)

Browse Source 
### Description
This PR introduces GPG signing for all Coder *slim-binaries*.
Detached signatures will allow users to verify the integrity and
authenticity of the binaries they download.

### Changes
  * `scripts/sign_with_gpg.sh`: New script to sign a given binary
     using GPG. It imports the release key, signs the binary, and
     verifies the signature.
   * `scripts/build_go.sh`: Updated to call `sign_with_gpg.sh` when the
     `CODER_SIGN_GPG` environment variable is set to 1.
   * `.github/workflows/release.yaml`: The` CODER_SIGN_GPG` environment
     variable is now set to 1 during the release build, enabling GPG
     signing for all release binaries.
   * `.github/workflows/ci.yaml`: The `CODER_SIGN_GPG` environment
     variable is now set to 1 during the CI build, enabling GPG
     signing for all CI binaries.
* `Makefile`: Detached signatures are moved to the `/site/out/bin/
`directory
This commit is contained in:
Jakub Domeracki
2025-07-09 11:53:27 +02:00
committed by GitHub
parent 3c2f3d640b
commit dc0919da33
6 changed files with 82 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/ci.yaml vendored
View File

@ -1137,6 +1137,8 @@ jobs:
# do (see above). # do (see above).
CODER_SIGN_WINDOWS: "1" CODER_SIGN_WINDOWS: "1"
CODER_WINDOWS_RESOURCES: "1" CODER_WINDOWS_RESOURCES: "1"
CODER_SIGN_GPG: "1"
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
EV_KEY: ${{ secrets.EV_KEY }} EV_KEY: ${{ secrets.EV_KEY }}
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }} EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
EV_TSA_URL: ${{ secrets.EV_TSA_URL }} EV_TSA_URL: ${{ secrets.EV_TSA_URL }}

2
.github/workflows/release.yaml vendored
View File

@ -323,6 +323,8 @@ jobs:
env: env:
CODER_SIGN_WINDOWS: "1" CODER_SIGN_WINDOWS: "1"
CODER_SIGN_DARWIN: "1" CODER_SIGN_DARWIN: "1"
CODER_SIGN_GPG: "1"
CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
CODER_WINDOWS_RESOURCES: "1" CODER_WINDOWS_RESOURCES: "1"
AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt

4
Makefile
View File

@ -252,6 +252,10 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
fi fi
cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext" cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then
cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc"
fi
fi fi
# This task builds Coder Desktop dylibs # This task builds Coder Desktop dylibs

13
scripts/build_go.sh
View File

@ -20,6 +20,9 @@
# binary will be signed using ./sign_darwin.sh. Read that file for more details # binary will be signed using ./sign_darwin.sh. Read that file for more details
# on the requirements. # on the requirements.
# #
# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh.
# Read that file for more details on the requirements.
#
# If the --agpl parameter is specified, builds only the AGPL-licensed code (no # If the --agpl parameter is specified, builds only the AGPL-licensed code (no
# Coder enterprise features). # Coder enterprise features).
# #
@ -41,6 +44,7 @@ slim="${CODER_SLIM_BUILD:-0}"
agpl="${CODER_BUILD_AGPL:-0}" agpl="${CODER_BUILD_AGPL:-0}"
sign_darwin="${CODER_SIGN_DARWIN:-0}" sign_darwin="${CODER_SIGN_DARWIN:-0}"
sign_windows="${CODER_SIGN_WINDOWS:-0}" sign_windows="${CODER_SIGN_WINDOWS:-0}"
sign_gpg="${CODER_SIGN_GPG:-0}"
boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0} boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
dylib=0 dylib=0
windows_resources="${CODER_WINDOWS_RESOURCES:-0}" windows_resources="${CODER_WINDOWS_RESOURCES:-0}"
@ -85,6 +89,10 @@ while true; do
sign_windows=1 sign_windows=1
shift shift
;; ;;
--sign-gpg)
sign_gpg=1
shift
;;
--boringcrypto) --boringcrypto)
boringcrypto=1 boringcrypto=1
shift shift
@ -319,4 +327,9 @@ if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then
execrelative ./sign_windows.sh "$output_path" 1>&2 execrelative ./sign_windows.sh "$output_path" 1>&2
fi fi
# Platform agnostic signing
if [[ "$sign_gpg" == 1 ]]; then
execrelative ./sign_with_gpg.sh "$output_path" 1>&2
fi
echo "$output_path" echo "$output_path"

21
scripts/release/publish.sh
View File

@ -129,26 +129,9 @@ if [[ "$dry_run" == 0 ]] && [[ "${CODER_GPG_RELEASE_KEY_BASE64:-}" != "" ]]; the
log "--- Signing checksums file" log "--- Signing checksums file"
log log
# Import the GPG key. execrelative ../sign_with_gpg.sh "${temp_dir}/${checksum_file}"
old_gnupg_home="${GNUPGHOME:-}"
gnupg_home_temp="$(mktemp -d)"
export GNUPGHOME="$gnupg_home_temp"
echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --import 1>&2
# Sign the checksums file. This generates a file in the same directory and
# with the same name as the checksums file but ending in ".asc".
#
# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
# ask for a passphrase). The key we import above is not password protected.
true | gpg --detach-sign --armor "${temp_dir}/${checksum_file}" 1>&2
rm -rf "$gnupg_home_temp"
unset GNUPGHOME
if [[ "$old_gnupg_home" != "" ]]; then
export GNUPGHOME="$old_gnupg_home"
fi
signed_checksum_path="${temp_dir}/${checksum_file}.asc" signed_checksum_path="${temp_dir}/${checksum_file}.asc"
if [[ ! -e "$signed_checksum_path" ]]; then if [[ ! -e "$signed_checksum_path" ]]; then
log "Signed checksum file not found: ${signed_checksum_path}" log "Signed checksum file not found: ${signed_checksum_path}"
log log

59
scripts/sign_with_gpg.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
# This script signs a given binary using GPG.
# It expects the binary to be signed as the first argument.
#
# Usage: ./sign_with_gpg.sh path/to/binary
#
# On success, the input file will be signed using the GPG key and the signature output file will moved to /site/out/bin/ (happens in the Makefile)
#
# Depends on the GPG utility. Requires the following environment variables to be set:
# - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.
set -euo pipefail
# shellcheck source=scripts/lib.sh
source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
requiredenvs CODER_GPG_RELEASE_KEY_BASE64
FILE_TO_SIGN="$1"
if [[ -z "$FILE_TO_SIGN" ]]; then
error "Usage: $0 <file_to_sign>"
fi
if [[ ! -f "$FILE_TO_SIGN" ]]; then
error "File not found: $FILE_TO_SIGN"
fi
# Import the GPG key.
old_gnupg_home="${GNUPGHOME:-}"
gnupg_home_temp="$(mktemp -d)"
export GNUPGHOME="$gnupg_home_temp"
# Ensure GPG uses the temporary directory
echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --homedir "$gnupg_home_temp" --import 1>&2
# Sign the binary. This generates a file in the same directory and
# with the same name as the binary but ending in ".asc".
#
# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
# ask for a passphrase). The key we import above is not password protected.
true | gpg --homedir "$gnupg_home_temp" --detach-sign --armor "$FILE_TO_SIGN" 1>&2
# Verify the signature and capture the exit status
gpg --homedir "$gnupg_home_temp" --verify "${FILE_TO_SIGN}.asc" "$FILE_TO_SIGN" 1>&2
verification_result=$?
# Clean up the temporary GPG home
rm -rf "$gnupg_home_temp"
unset GNUPGHOME
if [[ "$old_gnupg_home" != "" ]]; then
export GNUPGHOME="$old_gnupg_home"
fi
if [[ $verification_result -eq 0 ]]; then
echo "${FILE_TO_SIGN}.asc"
else
error "Signature verification failed!"
fi