Test keys

2023-08-26 14:03:29 +08:00 · 2023-08-26 14:03:29 +08:00 · 0dd813c3bc
commit 0dd813c3bc
parent 9cda41867d
3 changed files with 38 additions and 2 deletions
--- a/.github/workflows/bindists.yaml
+++ b/.github/workflows/bindists.yaml
@ -142,3 +142,17 @@ jobs:
        name: Run build (aarch64 linux)
        with:
          args: sh -c '.github/workflows/install-bindist.sh'
+
+  signature-test:
+    name: Test signatures
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install requirements
+        shell: sh
+        run: |
+          sudo apt-get update && sudo apt-get install -y curl bash git gnupg
+
+      - uses: actions/checkout@v3
+
+      - name: Test signatures
+        run: .github/workflows/test-sigs.sh
--- a/.github/workflows/install-bindist.sh
+++ b/.github/workflows/install-bindist.sh
@ -14,14 +14,14 @@ ghcup --version
 which ghcup | grep foobarbaz

 ghcup_fun() {
-	ghcup -v --url-source=file:$METADATA_FILE "$@"
+	ghcup -v --url-source="file:$METADATA_FILE" "$@"
 }

 case $TOOL in
 	ghcup)
 		ghcup_fun upgrade --force
 		;;
-	*) ghcup_fun install $TOOL --set $VERSION
+	*) ghcup_fun install "$TOOL" --set "$VERSION"
 		;;
 esac

--- a/.github/workflows/test-sigs.sh
+++ b/.github/workflows/test-sigs.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -x
+set -eo pipefail
+
+. .github/workflows/common.sh
+
+get_key() {
+	local key=$1
+	local server=$2
+	gpg --batch --keyserver "${server}" --recv-keys "${key}"
+	echo -e "${key}:6:" | gpg --import-ownertrust
+}
+
+# verify signature
+keys=( 7D1E8AFD1D4A16D71FADA2F2CCC85C0E40C06A8C )
+for key in "${keys[@]}" ; do
+	get_key "${key}" keys.openpgp.org || get_key "${key}" keyserver.ubuntu.com
+done
+unset key
+gpg --verify "${METADATA_FILE}.sig"
+