feat: sign coder binaries with GPG & serve from path /bin/

jdomeracki-coder · jdomeracki-coder · commit 1edfe4bf55dd · 2025-07-07T12:39:24.000+02:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1285,6 +1285,24 @@ jobs:
           GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
           JSIGN_PATH: /tmp/jsign-6.0.jar
 
+      - name: Sign binaries with GPG
+        run: |
+          set -euo pipefail
+
+          for binary in ./build/coder_{darwin,linux,windows}*; do
+            if [[ -f "$binary" ]]; then
+              ./scripts/sign_with_gpg.sh "$binary"
+            fi
+          done
+        env:
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.CODER_GPG_RELEASE_KEY_BASE64 }}
+
+      - name: Insert signatures
+        run: |
+          for sigfile in ./build/*.sig; do
+            mv "$sigfile" ./site/out/bin/
+          done
+
       - name: Build Linux Docker images
         id: build-docker
         env:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -342,6 +342,24 @@ jobs:
       - name: Delete Windows EV Signing Cert
         run: rm /tmp/ev_cert.pem
 
+      - name: Sign binaries with GPG
+        run: |
+          set -euo pipefail
+
+          for binary in ./build/coder_{darwin,linux,windows}*; do
+            if [[ -f "$binary" ]]; then
+              ./scripts/sign_with_gpg.sh "$binary"
+            fi
+          done
+        env:
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.CODER_GPG_RELEASE_KEY_BASE64 }}
+
+      - name: Insert signatures
+        run: |
+          for sigfile in ./build/*.sig; do
+            mv "$sigfile" ./site/out/bin/
+          done
+
       - name: Determine base image tag
         id: image-base-tag
         run: |
diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# This script signs a given binary using GPG.
+# It expects the binary to be signed as the first argument.
+#
+# Usage: ./sign_with_gpg.sh path/to/binary
+#
+# On success, the input file will be signed using the GPG key.
+#
+# Depends on the GPG utility. Requires the following environment variables to be set:
+#  - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.
+
+set -euo pipefail
+
+requiredenvs CODER_GPG_RELEASE_KEY_BASE64
+
+FILE_TO_SIGN="$1"
+
+if [[ -z "$FILE_TO_SIGN" ]]; then
+  echo "Usage: $0 <file_to_sign>"
+  exit 1
+fi
+
+if [[ ! -f "$FILE_TO_SIGN" ]]; then
+  echo "File not found: $FILE_TO_SIGN"
+  exit 1
+fi
+
+# Import the private key.
+echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 --decode | gpg --import 1>&2
+
+# Sign the binary.
+gpg --detach-sign --armor "$FILE_TO_SIGN" 1>&2
+
+# Verify the signature.
+gpg --verify "${FILE_TO_SIGN}.sig" "$FILE_TO_SIGN" 1>&2
+  
+if [[ $? -eq 0 ]]; then
+  echo "${FILE_TO_SIGN}.sig"
+else
+  echo "Signature verification failed!" >&2
+  exit 1
+fi
