feat: sign coder binaries with the release key using GPG (cherry-pick #18774) #18869
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-picked feat: sign coder binaries with the release key using GPG (#18774)
Description
This PR introduces GPG signing for all Coder slim-binaries.
Detached signatures will allow users to verify the integrity and
authenticity of the binaries they download.
Changes
scripts/sign_with_gpg.sh
: New script to sign a given binaryusing GPG. It imports the release key, signs the binary, and
verifies the signature.
scripts/build_go.sh
: Updated to callsign_with_gpg.sh
when theCODER_SIGN_GPG
environment variable is set to 1..github/workflows/release.yaml
: TheCODER_SIGN_GPG
environmentvariable is now set to 1 during the release build, enabling GPG
signing for all release binaries.
.github/workflows/ci.yaml
: TheCODER_SIGN_GPG
environmentvariable is now set to 1 during the CI build, enabling GPG
signing for all CI binaries.
Makefile
: Detached signatures are moved to the/site/out/bin/
directory