Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add gpg-sign step to drone #4188

Merged
merged 6 commits into from
Jun 24, 2018
Merged

Add gpg-sign step to drone #4188

merged 6 commits into from
Jun 24, 2018

Conversation

sapk
Copy link
Member

@sapk sapk commented Jun 8, 2018

@go-gitea/owners need to add secrets (gpgsign_key, gpgsign_passphrase) to make this work and disclose the public part to be usefull ^^.
Friendly ping to @tboerger who develop the drone plugin.

Fix #4182
Related #4167

.drone.yml Outdated
secrets: [ gpgsign_key, gpgsign_passphrase ]
detach_sign: true
files:
- dist/release/*-amd64
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we sign the compressed files too?

Copy link
Member Author

@sapk sapk Jun 8, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since they should be extract to be usefull ? It is possible but it is un-needed I think but if someone want it we can.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be a good idea because if perhaps someone replaces the compressed file with perhaps a zip bomb. Signing the compressed file means they can check it before they extract.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the xz files are getting uploaded, right? Than only sign *.xz

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's only a cosmetical improvement and can be added anytime. I don't see a need to delay this milestone any further.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can merge the gpgsign plugin, but to tag a release I have to be home

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as we can merge and release RC today I'm fine

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merged gpgsign PR and triggered a release => https://beta.drone.io/drone-plugins/drone-gpgsign/11

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 8, 2018
@codecov-io
Copy link

codecov-io commented Jun 8, 2018

Codecov Report

Merging #4188 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #4188   +/-   ##
=======================================
  Coverage   20.09%   20.09%           
=======================================
  Files         153      153           
  Lines       30696    30696           
=======================================
  Hits         6168     6168           
  Misses      23586    23586           
  Partials      942      942

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 212fef0...bc76a71. Read the comment docs.

@techknowlogick techknowlogick added topic/deployment topic/build PR changes how Gitea is built, i.e. regarding Docker or the Makefile labels Jun 8, 2018
@sapk
Copy link
Member Author

sapk commented Jun 8, 2018

Steps to generate the key and import it :

# Generate key
gpg --full-generate-key 
 > 1 RSA et RSA
 > 4096
 > 0 (we could setup a expiration date but not necessary)
 > y
 > Gitea Drone Build System
 > drone@gitea.io
 > y
 > (Provide a good random passphrase)

gpg --export-secret-keys -a LONG_KEY_ID_DISPLAY_AT_END_OF_GENERATION > path/to/private.key

# Import in drone
drone secret add --repository go-gitea/gitea --name gpgsign_key --value $(base64 -i path/to/private.key) --event push --event tag --image plugins/gpgsign
drone secret add --repository go-gitea/gitea --name gpgsign_passphrase --value password-for-key --event push --event tag --image plugins/gpgsign

# Disclose public key to every one
gpg --armor --export LONG_KEY_ID_DISPLAY_AT_END_OF_GENERATION > release_key.pub

@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 8, 2018
@tboerger
Copy link
Member

Please use sub keys, follow a guide like https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/ to generate GPG keys. Than you can also increase the trust of the endless valid key and use a sub signing key with a limited lifetime for signing the builds.

Beside that the public key should be uploaded to the keyservers and also been provided via the download server.

@lunny lunny added this to the 1.5.0 milestone Jun 21, 2018
.drone.yml Outdated
- dist/release/*-386.exe
- dist/release/*.xz
when:
event: [ push, tag ]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need the push event here?
Since release only happens on tagging, it should be sufficient here as well?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 21, 2018
@tboerger
Copy link
Member

Now there is also a PR to provide some documentation for the gpgsign plugin: drone/drone-plugin-index#129

@tboerger
Copy link
Member

Now you can add the excludes attribute and simplify this step :D

@lunny
Copy link
Member

lunny commented Jun 24, 2018

Wait util I setup drone.

@lunny lunny merged commit a747a5d into go-gitea:master Jun 24, 2018
@sapk sapk mentioned this pull request Jul 3, 2018
@lafriks lafriks added the type/changelog Adds the changelog for a new Gitea version label Jul 3, 2018
aswild added a commit to aswild/gitea that referenced this pull request Jul 6, 2018
* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
  * Do not allow to reuse TOTP passcode (go-gitea#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (go-gitea#3979)
  * Add support for FIDO U2F (go-gitea#3971)
  * Added user language setting (go-gitea#3875)
  * LDAP Public SSH Keys synchronization (go-gitea#1844)
  * Add topic support (go-gitea#3711)
  * Multiple assignees (go-gitea#3705)
  * Add protected branch whitelists for merging (go-gitea#3689)
  * Global code search support (go-gitea#3664)
  * Add label descriptions (go-gitea#3662)
  * Add issue search via API (go-gitea#3612)
  * Add repository setting to enable/disable health checks (go-gitea#3607)
  * Emoji Autocomplete (go-gitea#3433)
  * Implements generator cli for secrets (go-gitea#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (go-gitea#3929)
  * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910)
  * Add option to use paged LDAP search when synchronizing users (go-gitea#3895)
  * Symlink icons (go-gitea#1416)
  * Improve release page UI (go-gitea#3693)
  * Add admin dashboard option to run health checks (go-gitea#3606)
  * Add branch link in branch list (go-gitea#3576)
  * Reduce sql query times in retrieveFeeds (go-gitea#3547)
  * Option to enable or disable swagger endpoints (go-gitea#3502)
  * Add missing licenses (go-gitea#3497)
  * Reduce repo indexer disk usage (go-gitea#3452)
  * Enable caching on assets and avatars (go-gitea#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969)
  * Add Environment Variables to Docker template (go-gitea#4012)
  * LFS: make HTTP auth period configurable (go-gitea#4035)
  * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184)
  * Refactor User Settings sections (go-gitea#3900)
  * Allow square brackets in external issue patterns (go-gitea#3408)
  * Add Attachment API (go-gitea#3478)
  * Add EnableTimetracking option to app settings (go-gitea#3719)
  * Add config option to enable or disable log executed SQL (go-gitea#3726)
  * Shows total tracked time in issue and milestone list (go-gitea#3341)
* TRANSLATION
  * Improve English grammar and consistency (go-gitea#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (go-gitea#3961)
  * Provide compressed release binaries (go-gitea#3991)
  * Sign release binaries (go-gitea#4188)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the type/changelog Adds the changelog for a new Gitea version label Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/build PR changes how Gitea is built, i.e. regarding Docker or the Makefile topic/deployment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Provide a gpg signature of binaries
9 participants