theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: drop dpkg-sig per-deb signing (broken on modern .debs); rely on Nexus repo signing for apt trust chain
build-and-publish / build (push) Successful in 2m51s
Details

Browse Source
This commit is contained in:
claude
2026-04-25 21:18:04 +00:00
parent e4d458b185
commit 44efd905c5
1 changed files with 18 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build-publish.yml
+18 -41
View File
@@ -85,58 +85,31 @@ jobs:
ls -la "${DEB_FILE}" ls -la "${DEB_FILE}"
sha256sum "${DEB_FILE}" sha256sum "${DEB_FILE}"
- name: Sign and publish to Nexus - name: Publish to Nexus
env: env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} NEXUS_USER: ${{ secrets.NEXUS_USER }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} NEXUS_PASS: ${{ secrets.NEXUS_PASS }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} NEXUS_URL: ${{ secrets.NEXUS_URL }}
NEXUS_USER: ${{ secrets.NEXUS_USER }} NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
NEXUS_PASS: ${{ secrets.NEXUS_PASS }} DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
NEXUS_URL: ${{ secrets.NEXUS_URL }} PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
NEXUS_REPO: ${{ secrets.NEXUS_REPO }}
DEB_FILE: ${{ steps.pkg.outputs.deb_file }}
PKG_NAME: ${{ steps.pkg.outputs.pkg_name }}
run: | run: |
set -euo pipefail set -euo pipefail
umask 077 umask 077
# Tmpfs (RAM-only) scratch for every byte of secret material. # All secret material lives in tmpfs (RAM); shredded on exit either way.
# Falls back to /tmp if /dev/shm is absent.
SECDIR="$(mktemp -d -p /dev/shm raweb-XXXXXXXX 2>/dev/null \ SECDIR="$(mktemp -d -p /dev/shm raweb-XXXXXXXX 2>/dev/null \
|| mktemp -d -t raweb-XXXXXXXX)" || mktemp -d -t raweb-XXXXXXXX)"
chmod 700 "$SECDIR" chmod 700 "$SECDIR"
export GNUPGHOME="$SECDIR/gnupg" trap 'find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true; rm -rf "$SECDIR"' EXIT
cleanup() { # Auth via netrc file — never via -u user:pass on the command line,
(gpg --batch --yes --quiet \ # which would be visible to anything that can read /proc.
--delete-secret-and-public-key "$GPG_KEY_ID" 2>/dev/null) || true
(gpgconf --kill all 2>/dev/null) || true
find "$SECDIR" -type f -exec shred -uz {} + 2>/dev/null || true
rm -rf "$SECDIR"
}
trap cleanup EXIT
# Materialise secrets to in-memory files. After this, drop them from env
# so any subprocess (or accidental `env`) cannot read them.
printf '%s' "$GPG_PRIVATE_KEY" > "$SECDIR/key.asc"
printf '%s' "$GPG_PASSPHRASE" > "$SECDIR/pp"
printf 'machine apt.julio.al login %s password %s\n' \ printf 'machine apt.julio.al login %s password %s\n' \
"$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc" "$NEXUS_USER" "$NEXUS_PASS" > "$SECDIR/netrc"
unset GPG_PRIVATE_KEY GPG_PASSPHRASE NEXUS_PASS NEXUS_USER unset NEXUS_USER NEXUS_PASS
# Ephemeral keyring on tmpfs. # Replace prior component of the same name, if any (best-effort).
mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"
printf 'allow-loopback-pinentry\n' > "$GNUPGHOME/gpg-agent.conf"
printf 'pinentry-mode loopback\n' > "$GNUPGHOME/gpg.conf"
gpg --batch --import "$SECDIR/key.asc"
# Sign the .deb. Passphrase passed via FILE — never argv, never env.
dpkg-sig -k "$GPG_KEY_ID" \
-g "--batch --pinentry-mode loopback --passphrase-file $SECDIR/pp" \
--sign builder "$DEB_FILE"
dpkg-sig --verify "$DEB_FILE"
# Replace any prior component of the same name (best-effort).
OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \ OLD_ID="$(curl -fsS --netrc-file "$SECDIR/netrc" \
"$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \ "$NEXUS_URL/service/rest/v1/components?repository=$NEXUS_REPO" \
| PKG_NAME="$PKG_NAME" python3 -c ' | PKG_NAME="$PKG_NAME" python3 -c '
@@ -150,7 +123,6 @@ jobs:
"$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null "$NEXUS_URL/service/rest/v1/components/$OLD_ID" -o /dev/null
fi fi
# Upload — auth via netrc (not -u, not query string).
HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \ HTTP="$(curl -sS --netrc-file "$SECDIR/netrc" \
-o "$SECDIR/upload.body" -w '%{http_code}' \ -o "$SECDIR/upload.body" -w '%{http_code}' \
-X POST -F "apt.asset=@$DEB_FILE" \ -X POST -F "apt.asset=@$DEB_FILE" \
@@ -159,3 +131,8 @@ jobs:
201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;; 201|204) echo "Uploaded $(basename "$DEB_FILE") to $NEXUS_URL/repository/$NEXUS_REPO/" ;;
*) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;; *) echo "Upload failed (HTTP $HTTP)"; head -c 400 "$SECDIR/upload.body"; exit 1 ;;
esac esac
# Note: per-.deb signing intentionally not performed here. apt's trust
# chain is Release.gpg → Packages SHA256 → .deb SHA256, and Nexus signs
# the Release file on every upload using the key bound at repo creation.
# The private key never leaves the Nexus host.