From e80259cc7209ac6a8ece71c060368b27123a0997 Mon Sep 17 00:00:00 2001 From: Jakub Domeracki Date: Mon, 7 Jul 2025 18:21:51 +0200 Subject: [PATCH 1/5] feat: sign coder binaries with the release key using GPG --- .github/workflows/ci.yaml | 1 + .github/workflows/release.yaml | 1 + Makefile | 4 +++ scripts/build_go.sh | 10 ++++++ scripts/sign_with_gpg.sh | 62 ++++++++++++++++++++++++++++++++++ 5 files changed, 78 insertions(+) create mode 100755 scripts/sign_with_gpg.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 33ac234b2d567..5f856c87b3ee3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1278,6 +1278,7 @@ jobs: # do (see above). CODER_SIGN_WINDOWS: "1" CODER_WINDOWS_RESOURCES: "1" + CODER_SIGN_GPG: "1" EV_KEY: ${{ secrets.EV_KEY }} EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }} EV_TSA_URL: ${{ secrets.EV_TSA_URL }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5e793d81397dc..3780976ff0619 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -323,6 +323,7 @@ jobs: env: CODER_SIGN_WINDOWS: "1" CODER_SIGN_DARWIN: "1" + CODER_SIGN_GPG: "1" CODER_WINDOWS_RESOURCES: "1" AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt diff --git a/Makefile b/Makefile index 0ed464ba23a80..38fec2eb554a9 100644 --- a/Makefile +++ b/Makefile @@ -252,6 +252,10 @@ $(CODER_ALL_BINARIES): go.mod go.sum \ fi cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext" + + if [[ "$${CODER_SIGN_GPG:-0}" == "1" ]]; then + cp "$@.asc" "./site/out/bin/coder-$$os-$$arch$$dot_ext.asc" + fi fi # This task builds Coder Desktop dylibs diff --git a/scripts/build_go.sh b/scripts/build_go.sh index 97d9431beb544..addf012ef5aca 100755 --- a/scripts/build_go.sh +++ b/scripts/build_go.sh @@ -41,6 +41,7 @@ slim="${CODER_SLIM_BUILD:-0}" agpl="${CODER_BUILD_AGPL:-0}" sign_darwin="${CODER_SIGN_DARWIN:-0}" sign_windows="${CODER_SIGN_WINDOWS:-0}" +sign_gpg="${CODER_SIGN_GPG:-0}" boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0} dylib=0 windows_resources="${CODER_WINDOWS_RESOURCES:-0}" @@ -85,6 +86,10 @@ while true; do sign_windows=1 shift ;; + --sign-gpg) + sign_gpg=1 + shift + ;; --boringcrypto) boringcrypto=1 shift @@ -319,4 +324,9 @@ if [[ "$sign_windows" == 1 ]] && [[ "$os" == "windows" ]]; then execrelative ./sign_windows.sh "$output_path" 1>&2 fi +# Platform agnostic signing +if [[ "$sign_gpg" == 1 ]]; then + execrelative ./sign_with_gpg.sh "$output_path" 1>&2 +fi + echo "$output_path" diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh new file mode 100755 index 0000000000000..635f9fb618995 --- /dev/null +++ b/scripts/sign_with_gpg.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +# This script signs a given binary using GPG. +# It expects the binary to be signed as the first argument. +# +# Usage: ./sign_with_gpg.sh path/to/binary +# +# On success, the input file will be signed using the GPG key. +# +# Depends on the GPG utility. Requires the following environment variables to be set: +# - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use. + +set -euo pipefail +# shellcheck source=scripts/lib.sh +source "$(dirname "${BASH_SOURCE[0]}")/lib.sh" + +requiredenvs CODER_GPG_RELEASE_KEY_BASE64 + +FILE_TO_SIGN="$1" + +if [[ -z "$FILE_TO_SIGN" ]]; then + echo "Usage: $0 " + exit 1 +fi + +if [[ ! -f "$FILE_TO_SIGN" ]]; then + echo "File not found: $FILE_TO_SIGN" + exit 1 +fi + +# Import the GPG key. +old_gnupg_home="${GNUPGHOME:-}" +gnupg_home_temp="$(mktemp -d)" +export GNUPGHOME="$gnupg_home_temp" + +# Ensure GPG uses the temporary directory +echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --homedir "$gnupg_home_temp" --import 1>&2 + +# Sign the binary. This generates a file in the same directory and +# with the same name as the binary but ending in ".asc". +# +# We pipe `true` into `gpg` so that it never tries to be interactive (i.e. +# ask for a passphrase). The key we import above is not password protected. +true | gpg --homedir "$gnupg_home_temp" --detach-sign --armor "$FILE_TO_SIGN" 1>&2 + +# Verify the signature and capture the exit status +gpg --homedir "$gnupg_home_temp" --verify "${FILE_TO_SIGN}.asc" "$FILE_TO_SIGN" 1>&2 +verification_result=$? + +# Clean up the temporary GPG home +rm -rf "$gnupg_home_temp" +unset GNUPGHOME +if [[ "$old_gnupg_home" != "" ]]; then + export GNUPGHOME="$old_gnupg_home" +fi + +if [[ $verification_result -eq 0 ]]; then + echo "${FILE_TO_SIGN}.asc" +else + echo "Signature verification failed!" >&2 + exit 1 +fi From ddd2ada4469531bc6b50f36014ccc9937cbe2750 Mon Sep 17 00:00:00 2001 From: Jakub Domeracki Date: Tue, 8 Jul 2025 14:51:55 +0200 Subject: [PATCH 2/5] chore: add comments and invoke the sign_with_gpg.sh script from publish.sh --- scripts/build_go.sh | 3 +++ scripts/release/publish.sh | 21 ++------------------- scripts/sign_with_gpg.sh | 5 +---- 3 files changed, 6 insertions(+), 23 deletions(-) diff --git a/scripts/build_go.sh b/scripts/build_go.sh index addf012ef5aca..b3b074b183f91 100755 --- a/scripts/build_go.sh +++ b/scripts/build_go.sh @@ -20,6 +20,9 @@ # binary will be signed using ./sign_darwin.sh. Read that file for more details # on the requirements. # +# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh. +# Read that file for more details on the requirements. +# # If the --agpl parameter is specified, builds only the AGPL-licensed code (no # Coder enterprise features). # diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh index df28d46ad2710..5ffd40aeb65cb 100755 --- a/scripts/release/publish.sh +++ b/scripts/release/publish.sh @@ -129,26 +129,9 @@ if [[ "$dry_run" == 0 ]] && [[ "${CODER_GPG_RELEASE_KEY_BASE64:-}" != "" ]]; the log "--- Signing checksums file" log - # Import the GPG key. - old_gnupg_home="${GNUPGHOME:-}" - gnupg_home_temp="$(mktemp -d)" - export GNUPGHOME="$gnupg_home_temp" - echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --import 1>&2 - - # Sign the checksums file. This generates a file in the same directory and - # with the same name as the checksums file but ending in ".asc". - # - # We pipe `true` into `gpg` so that it never tries to be interactive (i.e. - # ask for a passphrase). The key we import above is not password protected. - true | gpg --detach-sign --armor "${temp_dir}/${checksum_file}" 1>&2 - - rm -rf "$gnupg_home_temp" - unset GNUPGHOME - if [[ "$old_gnupg_home" != "" ]]; then - export GNUPGHOME="$old_gnupg_home" - fi - + execrelative ../sign_with_gpg.sh "${temp_dir}/${checksum_file}" signed_checksum_path="${temp_dir}/${checksum_file}.asc" + if [[ ! -e "$signed_checksum_path" ]]; then log "Signed checksum file not found: ${signed_checksum_path}" log diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh index 635f9fb618995..af34defd7f31f 100755 --- a/scripts/sign_with_gpg.sh +++ b/scripts/sign_with_gpg.sh @@ -5,7 +5,7 @@ # # Usage: ./sign_with_gpg.sh path/to/binary # -# On success, the input file will be signed using the GPG key. +# On success, the input file will be signed using the GPG key and the signature output file will moved to /site/out/bin/ (happens in the Makefile) # # Depends on the GPG utility. Requires the following environment variables to be set: # - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use. @@ -20,12 +20,10 @@ FILE_TO_SIGN="$1" if [[ -z "$FILE_TO_SIGN" ]]; then echo "Usage: $0 " - exit 1 fi if [[ ! -f "$FILE_TO_SIGN" ]]; then echo "File not found: $FILE_TO_SIGN" - exit 1 fi # Import the GPG key. @@ -58,5 +56,4 @@ if [[ $verification_result -eq 0 ]]; then echo "${FILE_TO_SIGN}.asc" else echo "Signature verification failed!" >&2 - exit 1 fi From 55c67d64db308e3f970d90c92d18f0c322ff47bd Mon Sep 17 00:00:00 2001 From: Jakub Domeracki Date: Tue, 8 Jul 2025 15:41:39 +0200 Subject: [PATCH 3/5] fix: set CODER_GPG_RELEASE_KEY_BASE64 in build & releaes steps --- .github/workflows/ci.yaml | 1 + .github/workflows/release.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5f856c87b3ee3..96555eb820f15 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1279,6 +1279,7 @@ jobs: CODER_SIGN_WINDOWS: "1" CODER_WINDOWS_RESOURCES: "1" CODER_SIGN_GPG: "1" + CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }} EV_KEY: ${{ secrets.EV_KEY }} EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }} EV_TSA_URL: ${{ secrets.EV_TSA_URL }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3780976ff0619..7174d0b76515f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -324,6 +324,7 @@ jobs: CODER_SIGN_WINDOWS: "1" CODER_SIGN_DARWIN: "1" CODER_SIGN_GPG: "1" + CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }} CODER_WINDOWS_RESOURCES: "1" AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt From 6241bacb746b26498c40cc66ecf6a7c13e168257 Mon Sep 17 00:00:00 2001 From: Jakub Domeracki Date: Tue, 8 Jul 2025 17:12:21 +0200 Subject: [PATCH 4/5] fix: use error instead of echo --- scripts/sign_with_gpg.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh index af34defd7f31f..728fbe5b4fe18 100755 --- a/scripts/sign_with_gpg.sh +++ b/scripts/sign_with_gpg.sh @@ -19,11 +19,11 @@ requiredenvs CODER_GPG_RELEASE_KEY_BASE64 FILE_TO_SIGN="$1" if [[ -z "$FILE_TO_SIGN" ]]; then - echo "Usage: $0 " + error "Usage: $0 " fi if [[ ! -f "$FILE_TO_SIGN" ]]; then - echo "File not found: $FILE_TO_SIGN" + error "File not found: $FILE_TO_SIGN" fi # Import the GPG key. @@ -55,5 +55,5 @@ fi if [[ $verification_result -eq 0 ]]; then echo "${FILE_TO_SIGN}.asc" else - echo "Signature verification failed!" >&2 + error "Signature verification failed!" >&2 fi From d47b7d3905ba4528a3d3a57c96d838899445a6ad Mon Sep 17 00:00:00 2001 From: Jakub Domeracki Date: Tue, 8 Jul 2025 17:23:36 +0200 Subject: [PATCH 5/5] fix: remove redirect to stderr --- scripts/sign_with_gpg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh index 728fbe5b4fe18..fb75df5ca1bb9 100755 --- a/scripts/sign_with_gpg.sh +++ b/scripts/sign_with_gpg.sh @@ -55,5 +55,5 @@ fi if [[ $verification_result -eq 0 ]]; then echo "${FILE_TO_SIGN}.asc" else - error "Signature verification failed!" >&2 + error "Signature verification failed!" fi