feat: sign pre-built binary with GPG key (#2568)

Closes #2445 ## Testing 1. On my fork, I pushed the contents of this PR to main and then created https://github.com/rootulp/celestia-app/releases/tag/v1.0.0-rc4. 2. Verified that the checksum is correct ```shell $ sha256sum --ignore-missing --check checksums.txt celestia-app_Linux_x86_64.tar.gz: OK ``` 3. Verified that the signature is correct ```shell $ ./verify-signatures.sh checksums.txt.sig checksums.txt Importing the celestia-app-maintainers public key... gpg: key D469F859693DC3FA: no user ID gpg: Total number processed: 1 Verifying the signature of checksums.txt.sig with checksums.txt gpg: Signature made Fri Oct 6 16:19:01 2023 EDT gpg: using EDDSA key ACF99399A35311E95B2432072B987E2A363550BE gpg: Good signature from "rootulp-test-goreleaser <[email protected]>" [ultimate] ``` Note: the GPG key used to sign for celestiaorg/celestia-app will have a different ID / email address from the one here ^ --------- Co-authored-by: Matthew Sevey <[email protected]>
celestiaorg · Oct 9, 2023 · 934fded · 934fded
1 parent 8e62d44
commit 934fded
Show file tree

Hide file tree

Showing 5 changed files with 109 additions and 29 deletions.
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
@@ -71,11 +71,19 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: 1.21.1
-      # Generate the binaries and release
-      - uses: goreleaser/goreleaser-action@v5
+      # Import the GPG key from Github secrets to sign the binaries
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      # Generate the binaries, release, and sign the checksum
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -47,6 +47,18 @@ archives:
       {{- if .Arm }}v{{ .Arm }}{{ end }}
 checksum:
   name_template: "checksums.txt"
+signs:
+  - artifacts: checksum
+    args:
+      [
+        "--batch",
+        "-u",
+        "{{ .Env.GPG_FINGERPRINT }}",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog:

diff --git a/README.md b/README.md
@@ -36,6 +36,8 @@ node            |  |                               |  |
 
 ## Install
 
+### Source
+
 1. [Install Go](https://go.dev/doc/install) 1.21.1
 1. Clone this repo
 1. Install the celestia-app CLI
@@ -44,6 +46,57 @@ node            |  |                               |  |
     make install
     ```
 
+### Pre-built binary
+
+If you'd rather not install from source, you can download a pre-built binary from the [releases](https://github.com/celestiaorg/celestia-app/releases) page.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Extract the archive
+
+    ```shell
+    tar -xvf celestia-app_Linux_x86_64.tar.gz
+    ```
+
+1. Verify the extracted binary works
+
+    ```shell
+    ./celestia-appd --help
+    ```
+
+#### Optional: Verify the pre-built binary checksums and signatures
+
+If you use a pre-built binary, you may also want to verify the checksums and signatures.
+
+1. Navigate to the latest release on <https://github.com/celestiaorg/celestia-app/releases>.
+1. Download `checksums.txt`, `checksums.txt.sig`, and the binary for your platform (e.g. `celestia-app_Linux_x86_64.tar.gz`) from the **Assets** section.
+1. Verify the checksums
+
+    ```shell
+    sha256sum --ignore-missing --check checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    celestia-app_Linux_x86_64.tar.gz: OK
+    ```
+
+1. Download the [verify-signature.sh](./scripts/signing/verify-signature.sh) script.
+1. Verify the signature via the [verify-signature.sh](./scripts/signing/verify-signature.sh) script
+
+    ```shell
+    ./verify-signature.sh checksums.txt.sig checksums.txt
+    ```
+
+    You should see output like this:
+
+    ```shell
+    gpg: Signature made Thu Sep 21 14:39:26 2023 EDT
+    gpg:                using EDDSA key BF02F32CC36864560B90B764D469F859693DC3FA
+    gpg: Good signature from "celestia-app-maintainers <[email protected]>" [ultimate]
+    ```
+
 ### Ledger Support
 
 Ledger is not supported on Windows and OpenBSD.
@@ -115,33 +168,6 @@ make proto-gen
 make goreleaser-build
 ```
 
-### Publishing a Release
-
-> **NOTE** Due to `goreleaser`'s CGO limitations, cross-compiling the binary does not work. So the binaries must be built on the target platform. This means that the release process must be done on a Linux amd64 machine.
-
-To generate the binaries for the Github release, you can run the following command:
-
-```sh
-make goreleaser-release
-```
-
-This will generate the binaries as defined in `.goreleaser.yaml` and put them in `build/goreleaser` like so:
-
-```sh
-build
-└── goreleaser
-    ├── CHANGELOG.md
-    ├── artifacts.json
-    ├── celestia-app_Linux_x86_64.tar.gz
-    ├── celestia-app_linux_amd64_v1
-    │   └── celestia-appd
-    ├── checksums.txt
-    ├── config.yaml
-    └── metadata.json
-```
-
-For the Github release, you just need to upload the `checksums.txt` and `celestia-app_Linux_x86_64.tar.gz` files.
-
 ### Docs
 
 Package-specific READMEs aim to explain implementation details for developers that are contributing to these packages. The [specs](https://celestiaorg.github.io/celestia-app/) aim to explain the protocol as a whole for developers building on top of Celestia.

diff --git a/scripts/signing/celestia-app-maintainers.asc b/scripts/signing/celestia-app-maintainers.asc
@@ -0,0 +1,14 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEZQyVAhYJKwYBBAHaRw8BAQdArnTc9Gu1/koOMkR7/t9HESJN8k1ee0/YBxI/
+9bk3PBW0QGNlbGVzdGlhLWFwcC1tYWludGFpbmVycyA8Y2VsZXN0aWEtYXBwLW1h
+aW50YWluZXJzQGNlbGVzdGlhLm9yZz6IkwQTFgoAOxYhBL8C8yzDaGRWC5C3ZNRp
++FlpPcP6BQJlDJUCAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJENRp
++FlpPcP6sZcBAKpPSeEHPlIsKn7lAOlfV0n9kXQYnL3xxdq9/ytFB5dUAP0S//wt
+EycGLLn1Wytp06o9tFyRHw+fmQBXaNFPSsc4B7g4BGUMlQISCisGAQQBl1UBBQEB
+B0CpJl7Leh7INkGvlq3QclvXRb3TB6P28tDMXk2mPhgYFAMBCAeIeAQYFgoAIBYh
+BL8C8yzDaGRWC5C3ZNRp+FlpPcP6BQJlDJUCAhsMAAoJENRp+FlpPcP6HQgBAMC3
+QoXupYfpmiJGGnxlCcK5iyYpZLe8EWpWq39t0vRlAP4hgvO8A4c0TNZaVkvLq62P
+eLp2+KNYB2PhA91X8BL8Bg==
+=311S
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/scripts/signing/verify-signature.sh b/scripts/signing/verify-signature.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# This script enables consumers to verify signatures on artifacts.
+
+# Check if the number of arguments is not 2
+if [[ $# -ne 2 ]]; then
+    echo "Error: Exactly two arguments are required."
+    echo "Example usage:"
+    echo "  ./verify-signature.sh <signature-file> <file-to-verify>"
+    exit 1
+fi
+
+# PGP Key
+# celestia-app-maintainers <[email protected]>
+# BF02F32CC36864560B90B764D469F859693DC3FA
+echo "Importing the celestia-app-maintainers public key..."
+gpg --keyserver keys.openpgp.org --recv-keys BF02F32CC36864560B90B764D469F859693DC3FA
+
+echo "Verifying the signature of "$1" with "$2""
+gpg --verify $1 $2