feat: sign coder binaries with the release key using GPG #18774
+82
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
3c01e7d to
e80259c
Compare
deansheather
reviewed
Jul 8, 2025
scripts/sign_with_gpg.sh
Outdated
| # | ||
| # Usage: ./sign_with_gpg.sh path/to/binary | ||
| # | ||
| # On success, the input file will be signed using the GPG key. |
There was a problem hiding this comment.
Should probably say where the signature goes.
| @@ -0,0 +1,62 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Can you make the existing scripts/release/publish.sh script call this script to do it's signing work?
scripts/sign_with_gpg.sh
Outdated
Comment on lines
60
to
61
| echo "Signature verification failed!" >&2 | ||
| exit 1 |
There was a problem hiding this comment.
Suggested change
| echo "Signature verification failed!" >&2 | |
| exit 1 | |
| error "Signature verification failed!" |
scripts/sign_with_gpg.sh
Outdated
Comment on lines
27
to
28
| echo "File not found: $FILE_TO_SIGN" | ||
| exit 1 |
There was a problem hiding this comment.
Suggested change
| echo "File not found: $FILE_TO_SIGN" | |
| exit 1 | |
| error "File not found: $FILE_TO_SIGN" |
scripts/sign_with_gpg.sh
Outdated
Comment on lines
22
to
23
| echo "Usage: $0 <file_to_sign>" | ||
| exit 1 |
There was a problem hiding this comment.
Suggested change
| echo "Usage: $0 <file_to_sign>" | |
| exit 1 | |
| error "Usage: $0 <file_to_sign>" |
90e69df to
ddd2ada
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces GPG signing for all Coder slim-binaries.
Detached signatures will allow users to verify the integrity and authenticity of the binaries they download.
Changes
scripts/sign_with_gpg.sh: New script to sign a given binaryusing GPG. It imports the release key, signs the binary, and
verifies the signature.
scripts/build_go.sh: Updated to callsign_with_gpg.shwhen theCODER_SIGN_GPGenvironment variable is set to 1..github/workflows/release.yaml: TheCODER_SIGN_GPGenvironmentvariable is now set to 1 during the release build, enabling GPG
signing for all release binaries.
.github/workflows/ci.yaml: TheCODER_SIGN_GPGenvironmentvariable is now set to 1 during the CI build, enabling GPG
signing for all CI binaries.
Makefile: Detached signatures are moved to the/site/out/bin/directory