feat: sign pre-built binary with GPG key (backport #2568) (#2640)

This is an automatic backport of pull request #2568 done by
[Mergify](https://mergify.com).
Cherry-pick of 934fded has failed:
```
On branch mergify/bp/v1.x/pr-2568
Your branch is up to date with 'origin/v1.x'.

You are currently cherry-picking commit 934fded.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   .goreleaser.yaml
	modified:   README.md
	new file:   scripts/signing/celestia-app-maintainers.asc
	new file:   scripts/signing/verify-signature.sh

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   .github/workflows/ci-release.yml

```


To fix up this pull request, you can check it out locally. See
documentation:
https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

---


<details>
<summary>Mergify commands and options</summary>

<br />

More conditions and actions can be found in the
[documentation](https://docs.mergify.com/).

You can also trigger Mergify actions by commenting on this pull request:

- `@Mergifyio refresh` will re-evaluate the rules
- `@Mergifyio rebase` will rebase this PR on its base branch
- `@Mergifyio update` will merge the base branch into this PR
- `@Mergifyio backport <destination>` will backport this PR on
`<destination>` branch

Additionally, on Mergify [dashboard](https://dashboard.mergify.com) you
can:

- look at your merge queues
- generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com
</details>

---------

Co-authored-by: Rootul P <[email protected]>

.github/workflows/ci-release.yml

@@ -71,11 +71,19 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: 1.21.1
-      # Generate the binaries and release
+      # Import the GPG key from Github secrets to sign the binaries
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      # Generate the binaries, release, and sign the checksum
       - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}

.goreleaser.yaml

@@ -47,6 +47,18 @@ archives:
       {{- if .Arm }}v{{ .Arm }}{{ end }}
 checksum:
   name_template: "checksums.txt"
+signs:
+  - artifacts: checksum
+    args:
+      [
+        "--batch",
+        "-u",
+        "{{ .Env.GPG_FINGERPRINT }}",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog:

README.md

@@ -36,6 +36,8 @@ node            |  |                               |  |
 
 ## Install
 
+### Source
+
 1. [Install Go](https://go.dev/doc/install) 1.21.1
 1. Clone this repo
 1. Install the celestia-app CLI
@@ -44,6 +46,57 @@ node            |  |                               |  |
     make install
     ```
 
+### Pre-built binary
+
+If you'd rather not install from source, you can download a pre-built binary from the [releases](https://github.com/celestiaorg/celestia-app/releases) page.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Extract the archive
+
+    ```shell
+    tar -xvf celestia-app_Linux_x86_64.tar.gz
+    ```
+
+1. Verify the extracted binary works
+
+    ```shell
+    ./celestia-appd --help
+    ```
+
+#### Optional: Verify the pre-built binary checksums and signatures
+
+If you use a pre-built binary, you may also want to verify the checksums and signatures.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download `checksums.txt`, `checksums.txt.sig`, and the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Verify the checksums
+
+    ```shell
+    sha256sum --ignore-missing --check checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    celestia-app_Linux_x86_64.tar.gz: OK
+    ```
+
+1. Download the [verify-signature.sh](./scripts/signing/verify-signature.sh) script.
+1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script
+
+    ```shell
+    ./verify-signature.sh checksums.txt.sig checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    gpg: Signature made Thu Sep 21 14:39:26 2023 EDT
+    gpg:                using EDDSA key BF02F32CC36864560B90B764D469F859693DC3FA
+    gpg: Good signature from "celestia-app-maintainers <[email protected]>" [ultimate]
+    ```
+
 ### Ledger Support
 
 Ledger is not supported on Windows and OpenBSD.
@@ -113,33 +166,6 @@ make proto-gen
 make goreleaser-build
 ```
 
-### Publishing a Release
-
-> **NOTE** Due to `goreleaser`'s CGO limitations, cross-compiling the binary does not work. So the binaries must be built on the target platform. This means that the release process must be done on a Linux amd64 machine.
-
-To generate the binaries for the Github release, you can run the following command:
-
-```sh
-make goreleaser-release
-```
-
-This will generate the binaries as defined in `.goreleaser.yaml` and put them in `build/goreleaser` like so:
-
-```sh
-build
-└── goreleaser
-    ├── CHANGELOG.md
-    ├── artifacts.json
-    ├── celestia-app_Linux_x86_64.tar.gz
-    ├── celestia-app_linux_amd64_v1
-    │   └── celestia-appd
-    ├── checksums.txt
-    ├── config.yaml
-    └── metadata.json
-```
-
-For the Github release, you just need to upload the `checksums.txt` and `celestia-app_Linux_x86_64.tar.gz` files.
-
 ### Docs
 
 Package-specific READMEs aim to explain implementation details for developers that are contributing to these packages. The [specs](https://celestiaorg.github.io/celestia-app/) aim to explain the protocol as a whole for developers building on top of Celestia.

scripts/signing/celestia-app-maintainers.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZQyVAhYJKwYBBAHaRw8BAQdArnTc9Gu1/koOMkR7/t9HESJN8k1ee0/YBxI/
+9bk3PBW0QGNlbGVzdGlhLWFwcC1tYWludGFpbmVycyA8Y2VsZXN0aWEtYXBwLW1h
+aW50YWluZXJzQGNlbGVzdGlhLm9yZz6IkwQTFgoAOxYhBL8C8yzDaGRWC5C3ZNRp
++FlpPcP6BQJlDJUCAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENRp
++FlpPcP6sZcBAKpPSeEHPlIsKn7lAOlfV0n9kXQYnL3xxdq9/ytFB5dUAP0S//wt
+EycGLLn1Wytp06o9tFyRHw+fmQBXaNFPSsc4B7g4BGUMlQISCisGAQQBl1UBBQEB
+B0CpJl7Leh7INkGvlq3QclvXRb3TB6P28tDMXk2mPhgYFAMBCAeIeAQYFgoAIBYh
+BL8C8yzDaGRWC5C3ZNRp+FlpPcP6BQJlDJUCAhsMAAoJENRp+FlpPcP6HQgBAMC3
+QoXupYfpmiJGGnxlCcK5iyYpZLe8EWpWq39t0vRlAP4hgvO8A4c0TNZaVkvLq62P
+eLp2+KNYB2PhA91X8BL8Bg==
+=311S
+-----END PGP PUBLIC KEY BLOCK-----

scripts/signing/verify-signature.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# This script enables consumers to verify signatures on artifacts.
+
+# Check if the number of arguments is not 2
+if [[ $# -ne 2 ]]; then
+    echo "Error: Exactly two arguments are required."
+    echo "Example usage:"
+    echo "  ./verify-signature.sh <signature-file> <file-to-verify>"
+    exit 1
+fi
+
+# PGP Key
+# celestia-app-maintainers <[email protected]>
+# BF02F32CC36864560B90B764D469F859693DC3FA
+echo "Importing the celestia-app-maintainers public key..."
+gpg --keyserver keys.openpgp.org --recv-keys BF02F32CC36864560B90B764D469F859693DC3FA
+
+echo "Verifying the signature of "$1" with "$2""
+gpg --verify $1 $2