From d132795a255591d17de07989a18287c14ab1c471 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Malte=20J=C3=BCrgens?= <maltejur@dismail.de>
Date: Sat, 16 Apr 2022 21:27:55 +0200
Subject: [PATCH] implement signing for deb and rpm files

---
 assets/linux.Dockerfile   |  4 ++--
 assets/linux.artifacts.mk |  2 ++
 assets/linux.build-deb.sh |  6 ++++++
 assets/linux.build-rpm.sh | 24 ++++++++++++++++++------
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/assets/linux.Dockerfile b/assets/linux.Dockerfile
index 501d8fd..69cd3bc 100644
--- a/assets/linux.Dockerfile
+++ b/assets/linux.Dockerfile
@@ -14,8 +14,8 @@ ENV TZ=Europe/Amsterdam
 
 
 # dependencies needed to run ./mach bootstrap
-RUN ( apt-get -y update && apt-get -y upgrade && apt-get -y install mercurial python3 python3-dev python3-pip wget ; true)
-RUN ( dnf -y upgrade && dnf -y install mercurial python3 python3-devel wget rpm-build ; true)
+RUN ( apt-get -y update && apt-get -y upgrade && apt-get -y install mercurial python3 python3-dev python3-pip wget dpkg-sig ; true)
+RUN ( dnf -y upgrade && dnf -y install mercurial python3 python3-devel wget rpm-build rpm-sign ; true)
 
 # setup wasi
 RUN export target_wasi_location=$HOME/.mozbuild/wrlb/ &&\
diff --git a/assets/linux.artifacts.mk b/assets/linux.artifacts.mk
index 773935d..74caf7f 100644
--- a/assets/linux.artifacts.mk
+++ b/assets/linux.artifacts.mk
@@ -18,6 +18,7 @@ librewolf-$(version)-$(release).en-US.$(distro).x86_64.deb : $(infile)
 	mkdir -p work
 	(cd work && tar xf ../$<)
 	cp -v assets/linux.build-deb.sh work/
+	[ "$(SIGNING_KEY)" != "" ] && cp -v $(SIGNING_KEY) work/pk.asc ; true
 	(cd work && sed "s/MYDIR/\/usr\/share\/librewolf/g" < ../assets/linux.librewolf.desktop.in > start-librewolf.desktop)
 ifeq ($(use_docker),false)
 	(cd work && bash linux.build-deb.sh $(version) $(release))
@@ -45,6 +46,7 @@ librewolf-$(version)-$(release).$(fc).x86_64.rpm : $(infile)
 	cp -v assets/linux.librewolf.spec work/librewolf.spec
 	cp -v assets/linux.librewolf.desktop.in work/librewolf/start-librewolf.desktop.in
 	cp -v assets/linux.librewolf.ico work/librewolf/librewolf.ico
+	[ "$(SIGNING_KEY)" != "" ] && cp -v $(SIGNING_KEY) work/pk.asc ; true
 	rm -f work/librewolf/browser/features/proxy-failover@mozilla.com.xpi
 	rm -f work/librewolf/pingsender
 	rm -f work/librewolf/precomplete
diff --git a/assets/linux.build-deb.sh b/assets/linux.build-deb.sh
index 0c76172..dbdbadd 100755
--- a/assets/linux.build-deb.sh
+++ b/assets/linux.build-deb.sh
@@ -41,6 +41,12 @@ cp -v ../start-librewolf.desktop usr/share/applications/start-librewolf.desktop
 cd ..
 dpkg-deb --build librewolf
 
+# Sign the deb file if private key is provided
+if [[ -f pk.asc ]]; then
+  gpg --import pk.asc
+  dpkg-sig --sign builder librewolf.deb
+fi
+
 echo ""
 ls -lh librewolf.deb
 exit 0
diff --git a/assets/linux.build-rpm.sh b/assets/linux.build-rpm.sh
index cf4a8ee..ddd879e 100755
--- a/assets/linux.build-rpm.sh
+++ b/assets/linux.build-rpm.sh
@@ -1,5 +1,15 @@
 set -e
 
+if [[ -f pk.asc ]]; then
+  echo "--- [debug] Importing private key..."
+  gpg --import pk.asc
+  cat >>~/.rpmmacros <<EOF
+%_signature gpg
+%_gpg_name  LibreWolf Code Signing
+EOF
+  signing="true"
+fi
+
 rm -rf /WORK
 mkdir /WORK
 cd /WORK
@@ -59,13 +69,15 @@ rm -rf $HOME/rpmbuild
 cp -rv rpmbuild $HOME
 
 # Build the package!
-echo '---'
-echo "[debug] Running rpmbuild.."
-echo '---'
-
+echo "--- [debug] Running rpmbuild..."
 rpmbuild -v -bb $(pwd)/rpmbuild/SPECS/librewolf.spec
+
 echo '--- [debug] Copying output files to /artifacts'
-
-
 #Wrote: /root/rpmbuild/RPMS/x86_64/librewolf-94.0.2-1.fc35.x86_64.rpm
 cp -v ~/rpmbuild/RPMS/x86_64/librewolf-*.rpm /work
+
+if [[ "$signing" == "true" ]]; then
+  echo '--- [debug] Signing the RPM'
+  export GPG_TTY=$(tty)
+  rpm --addsign /work/librewolf-*.rpm
+fi