Skip to content

Add GPG signing to linux binary tarball builds#5289

Open
PlatCore wants to merge 2 commits intomasterfrom
PlatCore/5160-add-signing-linux-binaries
Open

Add GPG signing to linux binary tarball builds#5289
PlatCore wants to merge 2 commits intomasterfrom
PlatCore/5160-add-signing-linux-binaries

Conversation

@PlatCore
Copy link
Copy Markdown
Contributor

@PlatCore PlatCore commented Apr 16, 2026
edited
Loading

Why this should be merged

Linux binary tarballs are uploaded to S3 unsigned. RPM packages already have GPG signing. This adds detached signatures (.tar.gz.sig) to close that gap.

Closes #5160

How this works

  • build-tgz-pkg.sh: imports GPG key into temp GNUPGHOME, signs each tarball with gpg --detach-sign, verifies inline, uploads .sig to S3. No-op when no key is provided.
  • build-linux-binaries.yml: both jobs import GPG key from RPM_GPG_PRIVATE_KEY secret, pass it to the script, and include .sig in artifacts.

How this was tested

  • No GPG key: tarballs produced unsigned (backward compat)
  • With ephemeral GPG key: .sig files produced, gpg --verify passes
  • Empty key file: signing skipped (fork build scenario)
  • ~/.gnupg never touched (temp GNUPGHOME isolation verified)
  • shellcheck and yamllint clean

Need to be documented in RELEASES.md?

No

@PlatCore PlatCore moved this to In Progress 🏗️ in avalanchego Apr 16, 2026
@PlatCore PlatCore self-assigned this Apr 16, 2026
@PlatCore PlatCore added ci This focuses on changes to the CI process devinfra labels Apr 16, 2026
PlatCore added 2 commits April 16, 2026 11:31
@PlatCore
Add GPG signing to linux binary tarball builds
6b28bc5 
Add detached GPG signatures (.sig) to the tarball packaging pipeline,
reusing the same key infrastructure as RPM signing.
@PlatCore
Harden GPG signing: temp GNUPGHOME and passphrase via stdin
9b6a785 
Use a job-scoped temp directory for GNUPGHOME instead of the default
~/.gnupg to avoid mutating shared state on persistent runners. Clean
up via trap EXIT so the keyring is removed even on script failure.

Pass passphrase via stdin (--passphrase-fd 0) instead of command line
to avoid exposure in /proc/<pid>/cmdline.
@PlatCore PlatCore force-pushed the PlatCore/5160-add-signing-linux-binaries branch from 7af6acf to 9b6a785 Compare April 16, 2026 18:31
@PlatCore PlatCore marked this pull request as ready for review April 16, 2026 19:06
@PlatCore PlatCore requested a review from a team as a code owner April 16, 2026 19:06
@PlatCore PlatCore requested a review from maru-ava April 16, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maru-ava maru-ava Awaiting requested review from maru-ava

At least 2 approving reviews are required to merge this pull request.

Assignees

@PlatCore PlatCore

Labels

ci This focuses on changes to the CI process devinfra

Projects

avalanchego
Status: In Progress 🏗️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update the linux binary builds to include signing

1 participant

@PlatCore