From eafcce3b2b3123ab0b1a41ab58e088d74e91bdb0 Mon Sep 17 00:00:00 2001
From: Rootul Patel <rootulp@gmail.com>
Date: Thu, 21 Sep 2023 14:36:57 -0400
Subject: [PATCH] attempt to sign binary with GPG key

---
 .github/workflows/ci-release.yml | 12 ++++++++++--
 .goreleaser.yaml                 | 12 ++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index a53e02acc5..7d77ed076a 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -71,11 +71,19 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version: 1.21.1
-      # Generate the binaries and release
-      - uses: goreleaser/goreleaser-action@v5
+      # Import the GPG key from github secrets to sign the binaries
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      # Generate the binaries, release, and sign the checksum
+      - uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser
           version: latest
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index d7944730fc..5d9ba2625a 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -47,6 +47,18 @@ archives:
       {{- if .Arm }}v{{ .Arm }}{{ end }}
 checksum:
   name_template: "checksums.txt"
+signs:
+  - artifacts: checksum
+    args:
+      [
+        "--batch",
+        "-u",
+        "{{ .Env.GPG_FINGERPRINT }}",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
 changelog: