From d24c92e32e030642264a170e26ac14502c2c96e1 Mon Sep 17 00:00:00 2001
From: "A. Karl Kornel" <akkornel@stanford.edu>
Date: Tue, 30 Apr 2024 15:03:36 -0700
Subject: [PATCH] Update workflow to sign our Debian packages

The `package-deb` artifact from our existing workflow contains not just
the Debian package (the `.deb` file), but also all of the files needed
to upload the package into a repository.  But, the files aren't signed,
and most repositories only want uploads that are signed by a trusted
key.

So, this new job does that!  It takes the `package-deb` artifact, uses
`debsign` to sign the appropriate files, and uploads everything to a new
artifact, named `signed-deb`.  This new artifact contains the `.deb`
package files, so you should probably be using this artifact, when it is
available.

The workflow has a few requirements:

* The variable `DEBSIGN_KEYID`, which contains the ID (short or long) of
  the PGP key used for signing.

* The secret `KEY`, which is the armored PGP private key.

* The environment `sign`, containing the secret and variable above.

The job is set to run only on pushes to tags, and to the main branch.
---
 .github/workflows/package.yml | 54 +++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 2c66659..aa3e930 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -61,3 +61,57 @@ jobs:
           path: docker-image-cleanup*
           if-no-files-found: error
         continue-on-error: false
+
+  Sign-Debian:
+    name: Sign Debian packages
+    if: github.event_name == 'push' && ( contains(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main' )
+    needs:
+      - Package
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    environment: sign
+    steps:
+      - id: sysprep
+        name: Prep system for debsign work
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts gnupg
+        continue-on-error: false
+
+      - id: set-key
+        name: Install signing key
+        env:
+          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+        run: |
+          gpg --import <<<"${PRIVATE_KEY}"
+          echo "Keys:"
+          gpg --list-secret-keys --keyid-format long
+        continue-on-error: false
+
+      - id: fetch
+        name: Fetch Debian artifact from this workflow
+        uses: actions/download-artifact@v4.1.7
+        with:
+          name: package-deb
+          path: deb
+        continue-on-error: false
+
+      - id: sign
+        name: Run debsign
+        env:
+          DEBSIGN_KEYID: ${{ vars.KEY_ID }}
+        run: |
+          echo "Signing with key ${DEBSIGN_KEYID}"
+          debsign -k "${{ vars.KEY_ID }}" "$(find . -name *.changes)"
+        continue-on-error: false
+
+      - id: upload
+        name: Upload Signed Result as artifact
+        uses: actions/upload-artifact@v4.3.1
+        with:
+          name: signed-deb
+          path: docker-image-cleanup*
+          if-no-files-found: error
+        continue-on-error: false