From 60c54805146bb4b136fda59a435dc70fd2e8e051 Mon Sep 17 00:00:00 2001
From: Aleksandr Razumov <ernado@ya.ru>
Date: Sun, 2 Apr 2023 15:21:17 +0300
Subject: [PATCH] ci: add gpg signatures

---
 .github/workflows/release.yml | 15 +++++++++++++++
 cmd/release/RELEASE.md.tmpl   | 17 +++++++++++++++++
 sign.sh                       | 17 +++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100755 sign.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ee9ea8c..95a2887 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,15 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      - name: List keys
+        run: gpg -K
+
       - uses: actions/checkout@v3
 
       - name: Install Go
@@ -69,6 +78,9 @@ jobs:
       - name: Checksums
         run: ./checksums.sh
 
+      - name: Sign
+        run: ./sign.sh
+
       - name: Release notes
         run: go run ./cmd/release > _out/release.md
 
@@ -79,6 +91,9 @@ jobs:
           body_path: _out/release.md
           files: |
             _out/go-linux-riscv64-bootstrap.tbz
+            _out/go-linux-riscv64-bootstrap.tbz.asc
             _out/checksums.sha256.txt
+            _out/checksums.sha256.txt.asc
             _out/go${{ env.GOVERSION }}.linux-riscv64.tar.gz
+            _out/go${{ env.GOVERSION }}.linux-riscv64.tar.gz.asc
             _out/go${{ env.GOVERSION }}.src.tar.gz
diff --git a/cmd/release/RELEASE.md.tmpl b/cmd/release/RELEASE.md.tmpl
index 7c2845e..e929576 100644
--- a/cmd/release/RELEASE.md.tmpl
+++ b/cmd/release/RELEASE.md.tmpl
@@ -60,3 +60,20 @@ You can check it without creating new shell session:
 source /etc/profile.d/go.sh
 go version
 ```
+
+#### Verify signature
+
+Import the public key:
+```bash
+gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '943040B9817AC4C7'
+```
+
+Download the signature:
+```bash
+wget "{{ .Archive.URL }}.sig"
+```
+
+Verify the signature:
+```bash
+gpg --batch --verify {{ .Archive.Name }}.sig {{ .Archive.Name }}
+```
diff --git a/sign.sh b/sign.sh
new file mode 100755
index 0000000..b075ac0
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+ver="${GOVERSION:-1.20.2}"
+archive="go${ver}.linux-riscv64.tar.gz"
+bootstrap=go-linux-riscv64-bootstrap.tbz
+src=go${ver}.src.tar.gz
+sums=checksums.sha256.txt
+key=943040B9817AC4C7
+
+cd _out
+for file in "${archive}" "${bootstrap}" "${src}" "${sums}"; do
+  gpg --batch --yes --default-key "${key}" --output "${file}.asc" --armor --detach-sig "${file}"
+  gpg --batch --default-key "${key}" --verify "${file}.asc" "${file}"
+done