From 4f41ad7b91de05045a98e2407e95f95db02c84ed Mon Sep 17 00:00:00 2001 From: TheFox0x7 Date: Sun, 28 Jun 2026 22:44:26 +0200 Subject: [PATCH] revert(sign): restore gpg (#38251) partially revert sigstore signing to avoid causing breaking change for v1.27 --- .github/workflows/release-nightly.yml | 10 ++++++++++ .github/workflows/release-tag-rc.yml | 10 ++++++++++ .github/workflows/release-tag-version.yml | 10 ++++++++++ 3 files changed, 30 insertions(+) diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 483f4b77318..e3997c81235 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -36,10 +36,20 @@ jobs: TAGS: bindata - name: Install Cosign uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 + - name: import gpg key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 + with: + gpg_private_key: ${{ secrets.GPGSIGN_KEY }} + passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} - name: sign binaries + env: + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }} run: | for f in dist/release/*; do cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes + echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f" done # clean branch name to get the folder name in S3 - name: Get cleaned branch name diff --git a/.github/workflows/release-tag-rc.yml b/.github/workflows/release-tag-rc.yml index 91b6168330d..03f17e8c23d 100644 --- a/.github/workflows/release-tag-rc.yml +++ b/.github/workflows/release-tag-rc.yml @@ -37,10 +37,20 @@ jobs: TAGS: bindata - name: Install Cosign uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 + - name: import gpg key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 + with: + gpg_private_key: ${{ secrets.GPGSIGN_KEY }} + passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} - name: sign binaries + env: + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }} run: | for f in dist/release/*; do cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes + echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f" done # clean branch name to get the folder name in S3 - name: Get cleaned branch name diff --git a/.github/workflows/release-tag-version.yml b/.github/workflows/release-tag-version.yml index d4e3f1da009..09f9a739714 100644 --- a/.github/workflows/release-tag-version.yml +++ b/.github/workflows/release-tag-version.yml @@ -40,10 +40,20 @@ jobs: TAGS: bindata - name: Install Cosign uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 + - name: import gpg key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 + with: + gpg_private_key: ${{ secrets.GPGSIGN_KEY }} + passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }} - name: sign binaries + env: + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }} run: | for f in dist/release/*; do cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes + echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f" done # clean branch name to get the folder name in S3 - name: Get cleaned branch name