Support signing releases

[taiki-e]

Things that appear to be the standard for each platform:

• [ ] PGP (archives and/or binaries): see https://github.com/taiki-e/upload-rust-binary-action/issues/40#issuecomment-1382745575
• [ ] Windows code signing (binaries):
  • https://github.com/rust-lang/rustup/issues/1568
• [x] macOS code signing (binaries): https://github.com/taiki-e/upload-rust-binary-action/pull/61
  • https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution
  • https://github.com/mitchellh/gon

Other interesting things:

• [ ] sigstore: https://www.sigstore.dev
  • https://docs.sigstore.dev/cosign/signing_with_blobs/
• [ ] minisign

Refs:

• goreleaser https://goreleaser.com/customization/sign/

[taiki-e]

Ok, here is experimental support for signing with PGP: https://github.com/taiki-e/upload-rust-binary-action/compare/main...pgp

Here is a workflow example:

- uses: taiki-e/upload-rust-binary-action@pgp
  with:
    bin: ...
    # Public key used for PGP signing.
    #
    # This must be an armored key or path to it.
    # For example, the file output by the following command:
    # 
    # > gpg --output <output-path> --armor --export <key-id>
    #
    # This key is not strictly needed for signing, but is used to verify that
    # signing was done correctly with the private key corresponding to this key.
    pgp_public_key: path/to/public-key.asc # or ${{ secrets.PGP_PUBLIC_KEY }}
    # Private key used for PGP signing.
    # 
    # This must be an armored key. Unlike pgp_public_key, path is not allowed.
    # For example, the contents of the file output by the following command:
    # 
    # > gpg --output <output-file> --armor --export-secret-key <key-id>
    # 
    # If you have already imported the private key, you do not need to specify this.
    pgp_private_key: ${{ secrets.PGP_PRIVATE_KEY }}
    # Passphrase of PGP private key. Default to empty string.
    pgp_passphrase: ${{ secrets.PGP_PASSPHRASE }}
    # Comma-separated list of file kinds to be signed with PGP.
    #
    # List can contains any of the followings:
    # - checksum: .<checksum> files
    # - asset: all assets to be uploaded except for .<checksum> files.
    #
    # Signing files inside the asset (e.g., rust binaries contained in the
    # archive) is not yet supported.
    pgp_sign_target: checksum,asset
    token: ${{ secrets.GITHUB_TOKEN }}

[sunshowers]

Binstall now has the ability to verify signatures generated by minisign: https://github.com/cargo-bins/cargo-binstall/blob/main/SIGNING.md

[taiki-e]

Yeah, install-action also supports that. Its interface is simple, so could probably be implemented with only a few adjustments and simplification of the implementation for PGP.

[taiki-e]

UPD: codesign on macOS was supported in 1.18.0 (#61) about a month ago.

[YarekTyshchenko]

I'm trying to add minisign to a repo that uses this action, and struggling: The action does both the compilation, and the upload, but I need to insert code signing steps in between. Its probably possible to just add support for it directly by passing in an AGE_KEY_SECRET and encrypted minisign.key.age like the bininstall pipeline already does. (though it escapes me why not just store the key in cleartext in github secrets)

Any tips on how to proceed?

[taiki-e]

I believe we can support minisign by tweaking my PGP patch above a bit, so that would be the best way to do it.

[matiaskorhonen]

Sigstore support could now possibly be added using GitHub's own Artifact Attestations (currently in beta).