feat: Sign Linux packages and distribute GPG public key with release (#2852)

* feat: Distribute GPG public key with release

* Temp file

* Regenerate public key, move to .keep, use release_deps instead of ./signature directly

* Sign nfpms during release workflow

Author: mrsillydog

.github/workflows/release-test.yml

@@ -152,6 +152,13 @@ jobs:
         with:
           path: ~/.cache/goreleaser
 
+      - name: Write signing key for nFPM
+        shell: bash
+        run: |
+          cat > ci-signing-key.asc <<'EOF'
+          ${{ secrets.GPG_PRIVATE_SIGNING_KEY }}
+          EOF
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -162,11 +169,15 @@ jobs:
           GORELEASER_CURRENT_TAG: ${{ env.VERSION }}
           GITHUB_TOKEN: ${{ secrets.ORG_GORELEASER_GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          SIGNING_KEY_FILE: ci-signing-key.asc
 
       - name: Create artifact archive
         run: |
           mkdir artifacts
+          mkdir artifacts/gpg
           cp ./scripts/install/*.sh ./artifacts
+          cp ./release_deps/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
+          cp -r ./release_deps/gpg/revocations ./artifacts/gpg/revocations
           cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
           cp ./dist/*tar.gz ./artifacts
           cp ./windows-archive/windows_amd64/*.zip ./artifacts

.github/workflows/release.yml

@@ -164,6 +164,12 @@ jobs:
         shell: bash
         env:
           COSIGN_PASSWORD: ${{ secrets.ORG_COSIGN_PWD }}
+      - name: Write signing key for nFPM
+        shell: bash
+        run: |
+          cat > ci-signing-key.asc <<'EOF'
+          ${{ secrets.GPG_PRIVATE_SIGNING_KEY }}
+          EOF
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -174,11 +180,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.ORG_GORELEASER_GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
           COSIGN_PWD: ${{ secrets.ORG_COSIGN_PWD }}
+          SIGNING_KEY_FILE: ci-signing-key.asc
       # Create artifact bundle and upload to release
       - name: Create artifact archive
         run: |
           mkdir artifacts
+          mkdir artifacts/gpg
           cp ./scripts/install/*.sh ./artifacts
+          cp ./release_deps/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
+          cp -r ./release_deps/gpg/revocations ./artifacts/gpg/revocations
           cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
           cp ./dist/*tar.gz ./artifacts
           cp ./windows-archive/windows_amd64/*.zip ./artifacts
@@ -195,6 +205,8 @@ jobs:
         run: |
           gsutil cp ./scripts/install/install_unix.sh gs://bdot-release/latest/install_unix.sh
           gsutil cp ./scripts/install/install_macos.sh gs://bdot-release/latest/install_macos.sh
+          gsutil cp ./release_deps/gpg/bdot-public-gpg-key.asc gs://bdot-release/latest/gpg/bdot-public-gpg-key.asc
+          gsutil cp -r ./release_deps/gpg/revocations gs://bdot-release/latest/gpg/revocations/
       - name: Upload artifact bundle to release
         uses: AButler/upload-release-assets@v2.0
         with:

.goreleaser.gpg.yml

@@ -79,6 +79,9 @@ archives:
       - src: release_deps/windows_service.json
         dst: install
         strip_parent: true
+      - src: release_deps/gpg/*
+        dst: gpg
+        strip_parent: true
     format_overrides:
       - goos: windows
         format: zip

.goreleaser.yml

@@ -4,7 +4,7 @@ project_name: observiq-otel-collector
 
 before:
   hooks:
-    - make release-prep CURR_VERSION={{ .Version }}
+    - make release-prep-gpg CURR_VERSION={{ .Version }}
 
 # https://goreleaser.com/customization/build/
 builds:
@@ -88,6 +88,9 @@ archives:
       - src: release_deps/com.observiq.collector.plist
         dst: "install"
         strip_parent: true
+      - src: release_deps/gpg/*
+        dst: gpg
+        strip_parent: true
 
 nfpms:
   - id: collector
@@ -105,6 +108,12 @@ nfpms:
       - rpm
       - deb
     bindir: /usr/share/observiq-otel-collector/stage/observiq-otel-collector
+    deb:
+      signature:
+        key_file: "{{ .Env.SIGNING_KEY_FILE }}"
+    rpm:
+      signature:
+        key_file: "{{ .Env.SIGNING_KEY_FILE }}"
     contents:
       # This file was previously managed by the package
       # therefore it must be marked as a ghost file to
@@ -741,6 +750,7 @@ release:
     - glob: "./observiq-otel-collector*.msi.sig"
     - glob: "./scripts/install/install_unix.sh"
     - glob: "./scripts/install/install_macos.sh"
+    - glob: "./release_deps/gpg-keys.zip"
 
 # https://console.cloud.google.com/storage/browser/bdot-release
 blobs:
@@ -752,6 +762,7 @@ blobs:
       - glob: "./observiq-otel-collector*.msi.sig"
       - glob: "./scripts/install/install_unix.sh"
       - glob: "./scripts/install/install_macos.sh"
+      - glob: "./release_deps/gpg-keys.zip"
 
 # https://goreleaser.com/customization/changelog/
 changelog:

Makefile

@@ -242,11 +242,19 @@ release-prep:
 	@echo 'v$(CURR_VERSION)' > release_deps/VERSION.txt
 	./buildscripts/download-dependencies.sh release_deps
 	@cp -r ./plugins release_deps/
+	@cp -r ./signature/gpg release_deps/gpg
+	@rm release_deps/gpg/revocations.md
+	@rm release_deps/gpg/revocations/.keep
 	@cp config/example.yaml release_deps/config.yaml
 	@cp config/logging.yaml release_deps/logging.yaml
 	@cp service/com.observiq.collector.plist release_deps/com.observiq.collector.plist
 	@jq ".files[] | select(.service != null)" windows/wix.json >> release_deps/windows_service.json
 
+.PHONY: release-prep-gpg
+release-prep-gpg:
+	$(MAKE) release-prep
+	@cd release_deps/gpg && zip -r ../gpg-keys.zip .
+
 # Build and sign, skip release and ignore dirty git tree
 .PHONY: release-test
 release-test:

signature/gpg/bdot-public-gpg-key.asc

@@ -0,0 +1,87 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGkd1zcBEADNJ9zrJsFOf/H2bfva8TXnIPwpPQT6P68cBqcTT0bqwom3MDG4
+1zkX17OntoqTMSIEz5Hftr0bwoUR1aIp5sx72EuC5U5G1NDwpGqP5oGwCBGf/d0h
+lRM527GxSiTevYyzg/D61cR7YA1ZTjZ2gPFuiyO58UtF/H8DuR2jFySu9/eq2kcO
+2sPP5MLxX95OEntUFUYliqz7uagBua0I12CM9eCmYkiaWFwYJ4ylPcp+aR6OJ0h4
+z2I9jySNgH235f/qtcLst/thNMxnVA4KGFWq13anwQZo1TjWpY1sb/AT8IrupR4w
+vjRO5gCvlbJA6afF0l98ZgVlqMzxn4QT/eBPBPeyQvc5O4XruN7RIixy0CPeItgp
+QZUyURdequ9y17fORCK/Kn5QpoGVpKDzmFPIh3ePvhmuOYjh+nj4lLeHJ6Jv1gyW
+ACKEzOSPBs6TiY+tKKmuCU4sVGkTNAp4bcCa6Y0xtt/bQyOBuQGsVAv8NLU/WNY7
+5xYmLtkaOxfbCve+UCK5QoluZmmyVQ7eCOdbzVeBs1xBt+W720mHHPaluUDmsaIa
+uo6MWkFfQftcvjWeQIN6pCLmK48EWAu4xIgwBlglffYyIi//4jTB0QA77PHGBLl2
+wJlljm2SyEJmKD1dkckOESG1WVpzuAxoY7/jyqTddXJfqqiXNmibQ0YcKQARAQAB
+tERCRE9UIChQcmltYXJ5IGtleXBhaXIgZm9yIHRoZSBCRE9UIGNvbGxlY3Rvcikg
+PGRldm9wc0BiaW5kcGxhbmUuY29tPokCTgQTAQoAOBYhBCcVETQGRXX570eMto1S
+PzPlMLJdBQJpHdc3AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEI1SPzPl
+MLJdrIEP/A1eegZrw5BRZm1dYErnj2dFuew+/Fd7PQT07dBSotJJxDeF37jGzFcF
+Mea1aYyKQJ8YwZk4P7RSU7Ds54dKaNVRjL6AxTVI97lGbaMOaPfzMm+c+g6CkQr0
+SrebWREJP0ABvX3fFae6wTzPQSbCVEVIMkBzRdLxn3ZcBTO/XjGHUvl5Nqnsu40k
+zAZS7sF4X+ern2v3SUE/+ot+ahWLY1grnSP5MN2pntNerXU9w5rR+FKL7Bg5dQjE
+/djB7zvpuLlAuwfJxktMRHCCLuY9JCACFCzucDmxq57LzE+9NL5uc9ERgomEYWfm
+vQzEr76jREfCap2ZPoNsNt+Mxukx076Dbqz23EBT/VZbhI3CPUO/td/sZ5sq45f1
+/vGzBc5KrwECLqzfShXvgL9H0a0X9iX9JuOP4Zh4Kul/VN6ukz44N4ut6/V1FPJw
+G01N5Oz9MdcGntfv8kRMb6nGYDefVe7h+uOH1Plgv2n9GT8MmQ4CupKVHRx6SndR
+xCprCrPDLz+aFXyIgRXs/RDd0p9sqIO3MFNkjmGT2RWHjj9O/yRM3kNWz6NQZGze
+bk+JnudDv0yumXYe4+eU85jDH9u7U79LeA8rVTQFPolMzpzeu+91j/V44LM9YdQi
+OiHNP4SH9HGuV3b4TNdfWGjUrWaXnYxAcmcJ9NOupdNSbCuhnyNcuQINBGkd1zcB
+EACl1+rAZwySgmRf15gbthS1mtY4D2sgDGaXUlSDvlJuK1XCDtXYlFQt8f3WJCCC
+IZ78GHjhJs+uHEfcjB08MgaCxeV4ax5PKsPNC+pn7Eo7jQq6u+XwdzldGCQHzGdu
+VcvHKAKM8kQGKwUplSV0W5VIdorblmswQ4OR59+p2TT++sqxdQXJgVs0TI4QuEVn
+c77v6Qdwu8wYOm9m9LB1GE5VaoyvAdE2BJe8wAWtnCGpczE/hvdc1srwTXXb+2kZ
+TJ81P1AoIiaU8Pe/7EdZKfnLTi0Wk7XOVKew7VlIOfCtQGViuhhUDgest2dCshvZ
+aZolbsYCyosKq4AS+9Nwt/AaxPj9CeISkc4qGqPFgZRTXNkPuZ06MTj1eWTH9U5s
+9Qrlnk787x+gryp3HpSodgOUDr7vD7vRPxh6CwHnULKuFHO7rfCpauGbnh33Idjg
+gBvn3gAVep0RrF7AjvNZbCpEPra5d1n65bjWbVH1bMjierfbfVZUv5a7W7nrtWm8
+0YZxgm4DglSDEp9cLAn8m+onqMKmbF+jl8hXA42H1mSLUi2cs+bOdCHHwNAvhswH
+5WuF0AJdjeB5cRP1z/Nz/3HyOO1zUsgEPoaU/YMcg2vgp9MtMEbGtMGAULnVt5u0
+rbMe8LLYj7pDqAySZv05q01+XRAHdAY/9K6e72dW06zY8wARAQABiQI2BBgBCgAg
+FiEEJxURNAZFdfnvR4y2jVI/M+Uwsl0FAmkd1zcCGwwACgkQjVI/M+Uwsl0/8w//
+bB/EO98FHK/PS6VbY3MBGhT2r93shb5qBE6idPEFSxPro5Z5b8NBw0SvYRVNYRCO
+HMsoY9Gv2UDXMR0L/tF2edMv5jk6wv0BQs781JywUy5J9xOBAX6g8pq0bBDDzvl2
+v4zkko3jZVZIyjPjiDuTd4B0Ycb9mWwwfdot2H6g5nhMdCKo+x5DghW6BfzfgjoX
+e3rg9ma8gfr9DzBAPhHRG7J8vMprNwx71Tq/8YQB+ARr4eYHE8t+LO83jJS/79mM
+zCidB5Nm2eBaIqPr7Z/79jYq/zh3KriRF1FiB5HKKYvMgfmNQtAuj1jANbHgdhic
+uDXsw4lTBiDfcg3PUqsMXMSMroiqlSmLN86fZF5vqLmadK3lE8K4w+AzQGEQKpYE
+tmpMwMKYAYeA7vvM1HPq2ZrtT/iazF/WgLJ57rWKiSRKqhts0VKNfmY1BRe7h3bD
+XcAFA/SAmaQrbtLUFl10Mq2/UKjZ82o2u38hKyDQIz0I7v4RmSz5kkR1q9uml0WN
+e7HE4/MRpQafALlw+NeU1xOQt/HAZX9pkTYFYXnTrZ7Pav9Hgd58awHX3cxsKf03
+AlxdItq8OLpl+g4kxnGI+tOzQWnp5PHP0nCAFa+tQxuUBmOoHJbP44Ln9b5KjhNb
+1IjYum7zCEHnQuHUy2G2J1TAXGOPKWTIJECm/TWN7Ra5Ag0EaR3XggEQAOSY4A9L
+9ZlHe6QaaQtY6qHHz/+h4kQxSScP5lSx5gfAIQqxJ/AR40zyCsWFn7ZNupX6t5bw
+Xy+M4iYY3Q9PLRqt2D5Fb6Hm5bsKFjBBLaQzR8LIF9fMuDkCQGAQG0tMxXS/zZ7P
+ItAqIwKkASL090acCr+uDlMnV82gNuWI8SIyogCAUrSgGjLwe8KrqZKOueXlnCC0
+VoPbzEMHeV0O1vmsx19ctf6bzaNk1AvmGtmeb9w4bfhsLtN0C94ecseiKHk7uOgN
+WNYsm3cGctQdKzwLc63TeYuZ7Tnr9Y0UbUWrt50RXH/4y41FZ8pOeA/XhNRNtJsy
+vZ5PoQBvgQ6giUxRjKVvWKhkGQhL7v2vtl9rf6W+ek6YLfmHrHgO+pu/8Uyy1OP9
+MCP+KK7WVsqj5d5IyBX/QsVy05WQ60klaZ2x82snr927u0+uVpB0OlrTt333hCGU
+gNvQPb7wQRML2Cao3inoJjBoe9wIunzRSUUdR80yb1omAOa3XgGu7Izk2vySBP6Z
+EvyIBS+BoP+Jh2nOv4JbjUXjhN1g55zTbTUq9MPJPfO37gOasiitXsCN6vZn1LvT
+8ThlRwxQ5y95PggRGtPNRcPjEo3d1r6LEDcsvfD68Wi+5mEVWa7mhD9MffyKufSE
+8HVNER7EPPIQpeDAf+6BLmHFz2CexDkDHkJ5ABEBAAGJBHIEGAEKACYWIQQnFRE0
+BkV1+e9HjLaNUj8z5TCyXQUCaR3XggIbAgUJAsfqAAJACRCNUj8z5TCyXcF0IAQZ
+AQoAHRYhBGbaxTyX8yVqwfM5k1qPc7f9lnsvBQJpHdeCAAoJEFqPc7f9lnsvgiIP
+/2EeW3sueHj9wAaPUNFePXT+Dx9exU4kUOQShCc0EEtC6phey3S8fHnBFs/G1Lo+
+qh2G01oaUO+FZz1m4jfprSeAmS6+BD87qPOVv9/KNHob3u5YduDl/3PIvkEP7FcY
+JfpbXpWIaUF3uHIkAeHl9hPEPNEhwU9nl6OMHvXb1eYY405r+nKlKcIlmguB2K9t
+BDWZcCDPJtDQj8atBfddsJgPzWnmjKal/Xm3ZW1bw+irK24VQtOH8j8NjD1khQi/
+us2IKFGJJ+NcCpjapW/+vxuOsCquiSAmsFFkOWz3InQxO6CWq4lIWjhm5P/nR5aB
+Xt0GFOh7kGS1mvd1W3V77LJ0pclTIO7tZn4pYazoXw3z1I12jtOr3SwQ4CPgforL
+JNs9JrmU70MgxridR6/eGhkBb2t32WrDuzabiQejhFb+S36JoBFV7FsV+Ni/EzFx
+Nmglbka2C8rMidRUsCrUhjE0Cl4cYkYVNwsPM5M2X7IASVe5UiJ5HIlkmuGhNeK+
+yyVFpLHh+zcoBQEe5LXKNVK8L/eJC6fsM/IXTDp3WmdcrgBnEkUqOu5iWGKd7rOL
+dHSyeMz3jv3s1Lo24cKvp/eKue2yjUKOEZG3cYhnINCpO8EdvofEZwm+GcbjUxdG
+1dVobuX0lB8PrGTlwbQqbIKEpsphgKFHx2MlPl+quSgoHWkP/1DJbcMmkTDZKlVd
+XlJv/hou1cBU7wgwYLRB7fleDHzzkyz9K8cMP4los7PYlfZVtrubsmLlz+Gdhwhs
+sIX5JPovuJm0NJRydE7pvH6HKnnVCjaa3TU1QpsqdsaZ4fGPEguUUY7pZ82+8NuB
+5U3m/ZU4L2ijraxtrWOJ0IKA5b4jUoXR4eN01Lrzbjnb80+ZB1iR72NB9G8VxWoc
+wz0CXXcrsmG0Sh0OFjJtBBO9m3xTAaq79uW7x/CCxhDUW+ZYRhVz9xRGynu94NxR
+hyUXOc6D/jx8virAWLmonX2rW8zyC9WbWbMgTdeBI5q6W411uYSj6ejQq84VRqjQ
+EMCaZUL3+i/ReD7b8L90O2bXs5iO6mhTy86M2t+gvvht9J9WEFe6FwX1V2N8oQc7
+tsVBf5kN4rr9MgLg2KfBIQqnH3sIZRIB71oeyfakEDS7VmvU4HUpHdX3mO51BIMq
+VKOFF3HPUMycDkUconDuYpHLIMiYwolafU6hYGL18XBk5M/NCrOu5BjE6SlQEPGK
+JGVd22D56n0+fUEM6KG0UnqoqZlcnbyjdbcYxY3/9SeLMKD3/wawgqDbf6+BWq0H
+mQ43c7f4VyU5ecvrpKywSG7uLo0qEq/ha/u9r4mp+YMy11r8Mw3be5ENF/PHkovP
+jhWSRJ+cvwVAy1LHz1Dzc/zlA3GG
+=x4KN
+-----END PGP PUBLIC KEY BLOCK-----

signature/gpg/revocations.md

@@ -0,0 +1,7 @@
+# GPG Key Revocations
+
+Any primary public keys that have been revoked should be placed within the `revocations` folder.
+
+If a primary keypair has been lost or destroyed, its revocation certificate should be placed within the `revocations` folder.
+
+Once one of the above two steps has been taken for the revoked keypair, the release action and install scripts will distribute the revocations to prevent users from installing new software signed using the revoked keypair.