From 850effa8b12b2f6990847cdc987b961234cd3a0c Mon Sep 17 00:00:00 2001
From: maltejur <maltejur@dismail.de>
Date: Sat, 14 May 2022 18:22:17 +0000
Subject: [PATCH] Sign deb and rpm Files

---
 assets/linux.Dockerfile   |  4 ++--
 assets/linux.artifacts.mk |  2 ++
 assets/linux.build-deb.sh |  6 ++++++
 assets/linux.build-rpm.sh | 23 ++++++++++++++++++-----
 4 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/assets/linux.Dockerfile b/assets/linux.Dockerfile
index 501d8fd..69cd3bc 100644
--- a/assets/linux.Dockerfile
+++ b/assets/linux.Dockerfile
@@ -14,8 +14,8 @@ ENV TZ=Europe/Amsterdam
 
 
 # dependencies needed to run ./mach bootstrap
-RUN ( apt-get -y update && apt-get -y upgrade && apt-get -y install mercurial python3 python3-dev python3-pip wget ; true)
-RUN ( dnf -y upgrade && dnf -y install mercurial python3 python3-devel wget rpm-build ; true)
+RUN ( apt-get -y update && apt-get -y upgrade && apt-get -y install mercurial python3 python3-dev python3-pip wget dpkg-sig ; true)
+RUN ( dnf -y upgrade && dnf -y install mercurial python3 python3-devel wget rpm-build rpm-sign ; true)
 
 # setup wasi
 RUN export target_wasi_location=$HOME/.mozbuild/wrlb/ &&\
diff --git a/assets/linux.artifacts.mk b/assets/linux.artifacts.mk
index 8ce9269..2280cb5 100644
--- a/assets/linux.artifacts.mk
+++ b/assets/linux.artifacts.mk
@@ -19,6 +19,7 @@ librewolf-$(full_version).en-US.$(distro).x86_64.deb : $(infile)
 	mkdir -p work
 	(cd work && tar xf ../$<)
 	cp -v assets/linux.build-deb.sh work/
+	[ "$(SIGNING_KEY)" != "" ] && cp -v $(SIGNING_KEY) work/pk.asc ; true
 	(cd work && sed "s/MYDIR/\/usr\/share\/librewolf/g" < ../assets/linux.librewolf.desktop.in > start-librewolf.desktop)
 ifeq ($(use_docker),false)
 	(cd work && bash linux.build-deb.sh $(full_version))
@@ -47,6 +48,7 @@ librewolf-$(full_version).$(fc).x86_64.rpm : $(infile)
 	cp -v assets/linux.librewolf.spec work/librewolf.spec
 	cp -v assets/linux.librewolf.desktop.in work/librewolf/start-librewolf.desktop.in
 	cp -v assets/linux.librewolf.ico work/librewolf/librewolf.ico
+	[ "$(SIGNING_KEY)" != "" ] && cp -v $(SIGNING_KEY) work/pk.asc ; true
 	rm -f work/librewolf/browser/features/proxy-failover@mozilla.com.xpi
 	rm -f work/librewolf/pingsender
 	rm -f work/librewolf/precomplete
diff --git a/assets/linux.build-deb.sh b/assets/linux.build-deb.sh
index 73dd88d..8386e28 100755
--- a/assets/linux.build-deb.sh
+++ b/assets/linux.build-deb.sh
@@ -41,6 +41,12 @@ cp -v ../start-librewolf.desktop usr/share/applications/start-librewolf.desktop
 cd ..
 dpkg-deb --build librewolf
 
+# Sign the deb file if private key is provided
+if [[ -f pk.asc ]]; then
+  gpg --import pk.asc
+  dpkg-sig --sign builder librewolf.deb
+fi
+
 echo ""
 ls -lh librewolf.deb
 exit 0
diff --git a/assets/linux.build-rpm.sh b/assets/linux.build-rpm.sh
index 8528405..d70135c 100755
--- a/assets/linux.build-rpm.sh
+++ b/assets/linux.build-rpm.sh
@@ -1,5 +1,15 @@
 set -e
 
+if [[ -f pk.asc ]]; then
+  echo "--- [debug] Importing private key..."
+  gpg --import pk.asc
+  cat >>~/.rpmmacros <<EOF
+%_signature gpg
+%_gpg_name  LibreWolf Maintainers
+EOF
+  signing="true"
+fi
+
 rm -rf /WORK
 mkdir /WORK
 cd /WORK
@@ -61,12 +71,15 @@ rm -rf $HOME/rpmbuild
 cp -rv rpmbuild $HOME
 
 # Build the package!
-echo '---'
-echo "[debug] Running rpmbuild.."
-echo '---'
-
+echo "--- [debug] Running rpmbuild..."
 rpmbuild -v -bb $(pwd)/rpmbuild/SPECS/librewolf.spec
-echo '--- [debug] Copying output files to /artifacts'
 
+echo '--- [debug] Copying output files to /artifacts'
 #Wrote: /root/rpmbuild/RPMS/x86_64/librewolf-94.0.2-1.fc35.x86_64.rpm
 cp -v ~/rpmbuild/RPMS/x86_64/librewolf-*.rpm /work/librewolf-$full_version.$fc.x86_64.rpm
+
+if [[ "$signing" == "true" ]]; then
+  echo '--- [debug] Signing the RPM'
+  export GPG_TTY=$(tty)
+  rpm --addsign /work/librewolf-*.rpm
+fi