Skip to content

feat: Sign Linux packages and distribute GPG public key with release #2852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mrsillydog merged 4 commits into from
Nov 19, 2025
Merged

feat: Sign Linux packages and distribute GPG public key with release #2852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
773ae04
feat: Distribute GPG public key with release
mrsillydog Nov 18, 2025
3751485
Temp file
mrsillydog Nov 18, 2025
59ba08d
Regenerate public key, move to .keep, use release_deps instead of ./s…
mrsillydog Nov 19, 2025
d7371a3
Sign nfpms during release workflow
mrsillydog Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/release-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,13 @@ jobs:
with:
path: ~/.cache/goreleaser

- name: Write signing key for nFPM
shell: bash
run: |
cat > ci-signing-key.asc <<'EOF'
${{ secrets.GPG_PRIVATE_SIGNING_KEY }}
EOF

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
Expand All @@ -162,11 +169,15 @@ jobs:
GORELEASER_CURRENT_TAG: ${{ env.VERSION }}
GITHUB_TOKEN: ${{ secrets.ORG_GORELEASER_GITHUB_TOKEN }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
SIGNING_KEY_FILE: ci-signing-key.asc

- name: Create artifact archive
run: |
mkdir artifacts
mkdir artifacts/gpg
cp ./scripts/install/*.sh ./artifacts
cp ./release_deps/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
cp -r ./release_deps/gpg/revocations ./artifacts/gpg/revocations
cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
cp ./dist/*tar.gz ./artifacts
cp ./windows-archive/windows_amd64/*.zip ./artifacts
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,12 @@ jobs:
shell: bash
env:
COSIGN_PASSWORD: ${{ secrets.ORG_COSIGN_PWD }}
- name: Write signing key for nFPM
shell: bash
run: |
cat > ci-signing-key.asc <<'EOF'
${{ secrets.GPG_PRIVATE_SIGNING_KEY }}
EOF
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
Expand All @@ -174,11 +180,15 @@ jobs:
GITHUB_TOKEN: ${{ secrets.ORG_GORELEASER_GITHUB_TOKEN }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
COSIGN_PWD: ${{ secrets.ORG_COSIGN_PWD }}
SIGNING_KEY_FILE: ci-signing-key.asc
# Create artifact bundle and upload to release
- name: Create artifact archive
run: |
mkdir artifacts
mkdir artifacts/gpg
cp ./scripts/install/*.sh ./artifacts
cp ./release_deps/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
cp -r ./release_deps/gpg/revocations ./artifacts/gpg/revocations
cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
cp ./dist/*tar.gz ./artifacts
cp ./windows-archive/windows_amd64/*.zip ./artifacts
Expand All @@ -195,6 +205,8 @@ jobs:
run: |
gsutil cp ./scripts/install/install_unix.sh gs://bdot-release/latest/install_unix.sh
gsutil cp ./scripts/install/install_macos.sh gs://bdot-release/latest/install_macos.sh
gsutil cp ./release_deps/gpg/bdot-public-gpg-key.asc gs://bdot-release/latest/gpg/bdot-public-gpg-key.asc
gsutil cp -r ./release_deps/gpg/revocations gs://bdot-release/latest/gpg/revocations/
- name: Upload artifact bundle to release
uses: AButler/upload-release-assets@v2.0
with:
Expand Down
3 changes: 3 additions & 0 deletions .goreleaser.gpg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ archives:
- src: release_deps/windows_service.json
dst: install
strip_parent: true
- src: release_deps/gpg/*
dst: gpg
strip_parent: true
format_overrides:
- goos: windows
format: zip
Expand Down
13 changes: 12 additions & 1 deletion .goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ project_name: observiq-otel-collector

before:
hooks:
- make release-prep CURR_VERSION={{ .Version }}
- make release-prep-gpg CURR_VERSION={{ .Version }}

# https://goreleaser.com/customization/build/
builds:
Expand Down Expand Up @@ -88,6 +88,9 @@ archives:
- src: release_deps/com.observiq.collector.plist
dst: "install"
strip_parent: true
- src: release_deps/gpg/*
dst: gpg
strip_parent: true

nfpms:
- id: collector
Expand All @@ -105,6 +108,12 @@ nfpms:
- rpm
- deb
bindir: /usr/share/observiq-otel-collector/stage/observiq-otel-collector
deb:
signature:
key_file: "{{ .Env.SIGNING_KEY_FILE }}"
rpm:
signature:
key_file: "{{ .Env.SIGNING_KEY_FILE }}"
contents:
# This file was previously managed by the package
# therefore it must be marked as a ghost file to
Expand Down Expand Up @@ -741,6 +750,7 @@ release:
- glob: "./observiq-otel-collector*.msi.sig"
- glob: "./scripts/install/install_unix.sh"
- glob: "./scripts/install/install_macos.sh"
- glob: "./release_deps/gpg-keys.zip"

# https://console.cloud.google.com/storage/browser/bdot-release
blobs:
Expand All @@ -752,6 +762,7 @@ blobs:
- glob: "./observiq-otel-collector*.msi.sig"
- glob: "./scripts/install/install_unix.sh"
- glob: "./scripts/install/install_macos.sh"
- glob: "./release_deps/gpg-keys.zip"
Comment on lines 753 to +765
Copy link
Copy Markdown
Member

@jsirianni jsirianni Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will the user and install script retrieve the key from gs://bdot-release/latest/gpg/bdot-public-gpg-key.asc? (The equivalent HTTP uri). That makes sense if we want the user to always retrieve the latest public key.

If the install script should use the public key versioned in the release, we should upload it outside of the zip file to its release directory in the bucket.

I suspect it is fine how you have it now, but I want to make sure. We can avoid the user needing to download and unzip this file.

Copy link
Copy Markdown
Contributor Author

@mrsillydog mrsillydog Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the tricky thing is that we really want the install script to both retrieve both the key and any revocations and import them all, this will allow for both the installation of software signed by the current key and prevent installation of software signed by any revoked keys. I can't think of a great way to do that besides zipping everything we want them to import into one folder so they have to take all of it instead of cherrypicking.


# https://goreleaser.com/customization/changelog/
changelog:
Expand Down
8 changes: 8 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,11 +242,19 @@ release-prep:
@echo 'v$(CURR_VERSION)' > release_deps/VERSION.txt
./buildscripts/download-dependencies.sh release_deps
@cp -r ./plugins release_deps/
@cp -r ./signature/gpg release_deps/gpg
@rm release_deps/gpg/revocations.md
@rm release_deps/gpg/revocations/.keep
@cp config/example.yaml release_deps/config.yaml
@cp config/logging.yaml release_deps/logging.yaml
@cp service/com.observiq.collector.plist release_deps/com.observiq.collector.plist
@jq ".files[] | select(.service != null)" windows/wix.json >> release_deps/windows_service.json

.PHONY: release-prep-gpg
release-prep-gpg:
$(MAKE) release-prep
@cd release_deps/gpg && zip -r ../gpg-keys.zip .

# Build and sign, skip release and ignore dirty git tree
.PHONY: release-test
release-test:
Expand Down
87 changes: 87 additions & 0 deletions signature/gpg/bdot-public-gpg-key.asc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGkd1zcBEADNJ9zrJsFOf/H2bfva8TXnIPwpPQT6P68cBqcTT0bqwom3MDG4
1zkX17OntoqTMSIEz5Hftr0bwoUR1aIp5sx72EuC5U5G1NDwpGqP5oGwCBGf/d0h
lRM527GxSiTevYyzg/D61cR7YA1ZTjZ2gPFuiyO58UtF/H8DuR2jFySu9/eq2kcO
2sPP5MLxX95OEntUFUYliqz7uagBua0I12CM9eCmYkiaWFwYJ4ylPcp+aR6OJ0h4
z2I9jySNgH235f/qtcLst/thNMxnVA4KGFWq13anwQZo1TjWpY1sb/AT8IrupR4w
vjRO5gCvlbJA6afF0l98ZgVlqMzxn4QT/eBPBPeyQvc5O4XruN7RIixy0CPeItgp
QZUyURdequ9y17fORCK/Kn5QpoGVpKDzmFPIh3ePvhmuOYjh+nj4lLeHJ6Jv1gyW
ACKEzOSPBs6TiY+tKKmuCU4sVGkTNAp4bcCa6Y0xtt/bQyOBuQGsVAv8NLU/WNY7
5xYmLtkaOxfbCve+UCK5QoluZmmyVQ7eCOdbzVeBs1xBt+W720mHHPaluUDmsaIa
uo6MWkFfQftcvjWeQIN6pCLmK48EWAu4xIgwBlglffYyIi//4jTB0QA77PHGBLl2
wJlljm2SyEJmKD1dkckOESG1WVpzuAxoY7/jyqTddXJfqqiXNmibQ0YcKQARAQAB
tERCRE9UIChQcmltYXJ5IGtleXBhaXIgZm9yIHRoZSBCRE9UIGNvbGxlY3Rvcikg
PGRldm9wc0BiaW5kcGxhbmUuY29tPokCTgQTAQoAOBYhBCcVETQGRXX570eMto1S
PzPlMLJdBQJpHdc3AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEI1SPzPl
MLJdrIEP/A1eegZrw5BRZm1dYErnj2dFuew+/Fd7PQT07dBSotJJxDeF37jGzFcF
Mea1aYyKQJ8YwZk4P7RSU7Ds54dKaNVRjL6AxTVI97lGbaMOaPfzMm+c+g6CkQr0
SrebWREJP0ABvX3fFae6wTzPQSbCVEVIMkBzRdLxn3ZcBTO/XjGHUvl5Nqnsu40k
zAZS7sF4X+ern2v3SUE/+ot+ahWLY1grnSP5MN2pntNerXU9w5rR+FKL7Bg5dQjE
/djB7zvpuLlAuwfJxktMRHCCLuY9JCACFCzucDmxq57LzE+9NL5uc9ERgomEYWfm
vQzEr76jREfCap2ZPoNsNt+Mxukx076Dbqz23EBT/VZbhI3CPUO/td/sZ5sq45f1
/vGzBc5KrwECLqzfShXvgL9H0a0X9iX9JuOP4Zh4Kul/VN6ukz44N4ut6/V1FPJw
G01N5Oz9MdcGntfv8kRMb6nGYDefVe7h+uOH1Plgv2n9GT8MmQ4CupKVHRx6SndR
xCprCrPDLz+aFXyIgRXs/RDd0p9sqIO3MFNkjmGT2RWHjj9O/yRM3kNWz6NQZGze
bk+JnudDv0yumXYe4+eU85jDH9u7U79LeA8rVTQFPolMzpzeu+91j/V44LM9YdQi
OiHNP4SH9HGuV3b4TNdfWGjUrWaXnYxAcmcJ9NOupdNSbCuhnyNcuQINBGkd1zcB
EACl1+rAZwySgmRf15gbthS1mtY4D2sgDGaXUlSDvlJuK1XCDtXYlFQt8f3WJCCC
IZ78GHjhJs+uHEfcjB08MgaCxeV4ax5PKsPNC+pn7Eo7jQq6u+XwdzldGCQHzGdu
VcvHKAKM8kQGKwUplSV0W5VIdorblmswQ4OR59+p2TT++sqxdQXJgVs0TI4QuEVn
c77v6Qdwu8wYOm9m9LB1GE5VaoyvAdE2BJe8wAWtnCGpczE/hvdc1srwTXXb+2kZ
TJ81P1AoIiaU8Pe/7EdZKfnLTi0Wk7XOVKew7VlIOfCtQGViuhhUDgest2dCshvZ
aZolbsYCyosKq4AS+9Nwt/AaxPj9CeISkc4qGqPFgZRTXNkPuZ06MTj1eWTH9U5s
9Qrlnk787x+gryp3HpSodgOUDr7vD7vRPxh6CwHnULKuFHO7rfCpauGbnh33Idjg
gBvn3gAVep0RrF7AjvNZbCpEPra5d1n65bjWbVH1bMjierfbfVZUv5a7W7nrtWm8
0YZxgm4DglSDEp9cLAn8m+onqMKmbF+jl8hXA42H1mSLUi2cs+bOdCHHwNAvhswH
5WuF0AJdjeB5cRP1z/Nz/3HyOO1zUsgEPoaU/YMcg2vgp9MtMEbGtMGAULnVt5u0
rbMe8LLYj7pDqAySZv05q01+XRAHdAY/9K6e72dW06zY8wARAQABiQI2BBgBCgAg
FiEEJxURNAZFdfnvR4y2jVI/M+Uwsl0FAmkd1zcCGwwACgkQjVI/M+Uwsl0/8w//
bB/EO98FHK/PS6VbY3MBGhT2r93shb5qBE6idPEFSxPro5Z5b8NBw0SvYRVNYRCO
HMsoY9Gv2UDXMR0L/tF2edMv5jk6wv0BQs781JywUy5J9xOBAX6g8pq0bBDDzvl2
v4zkko3jZVZIyjPjiDuTd4B0Ycb9mWwwfdot2H6g5nhMdCKo+x5DghW6BfzfgjoX
e3rg9ma8gfr9DzBAPhHRG7J8vMprNwx71Tq/8YQB+ARr4eYHE8t+LO83jJS/79mM
zCidB5Nm2eBaIqPr7Z/79jYq/zh3KriRF1FiB5HKKYvMgfmNQtAuj1jANbHgdhic
uDXsw4lTBiDfcg3PUqsMXMSMroiqlSmLN86fZF5vqLmadK3lE8K4w+AzQGEQKpYE
tmpMwMKYAYeA7vvM1HPq2ZrtT/iazF/WgLJ57rWKiSRKqhts0VKNfmY1BRe7h3bD
XcAFA/SAmaQrbtLUFl10Mq2/UKjZ82o2u38hKyDQIz0I7v4RmSz5kkR1q9uml0WN
e7HE4/MRpQafALlw+NeU1xOQt/HAZX9pkTYFYXnTrZ7Pav9Hgd58awHX3cxsKf03
AlxdItq8OLpl+g4kxnGI+tOzQWnp5PHP0nCAFa+tQxuUBmOoHJbP44Ln9b5KjhNb
1IjYum7zCEHnQuHUy2G2J1TAXGOPKWTIJECm/TWN7Ra5Ag0EaR3XggEQAOSY4A9L
9ZlHe6QaaQtY6qHHz/+h4kQxSScP5lSx5gfAIQqxJ/AR40zyCsWFn7ZNupX6t5bw
Xy+M4iYY3Q9PLRqt2D5Fb6Hm5bsKFjBBLaQzR8LIF9fMuDkCQGAQG0tMxXS/zZ7P
ItAqIwKkASL090acCr+uDlMnV82gNuWI8SIyogCAUrSgGjLwe8KrqZKOueXlnCC0
VoPbzEMHeV0O1vmsx19ctf6bzaNk1AvmGtmeb9w4bfhsLtN0C94ecseiKHk7uOgN
WNYsm3cGctQdKzwLc63TeYuZ7Tnr9Y0UbUWrt50RXH/4y41FZ8pOeA/XhNRNtJsy
vZ5PoQBvgQ6giUxRjKVvWKhkGQhL7v2vtl9rf6W+ek6YLfmHrHgO+pu/8Uyy1OP9
MCP+KK7WVsqj5d5IyBX/QsVy05WQ60klaZ2x82snr927u0+uVpB0OlrTt333hCGU
gNvQPb7wQRML2Cao3inoJjBoe9wIunzRSUUdR80yb1omAOa3XgGu7Izk2vySBP6Z
EvyIBS+BoP+Jh2nOv4JbjUXjhN1g55zTbTUq9MPJPfO37gOasiitXsCN6vZn1LvT
8ThlRwxQ5y95PggRGtPNRcPjEo3d1r6LEDcsvfD68Wi+5mEVWa7mhD9MffyKufSE
8HVNER7EPPIQpeDAf+6BLmHFz2CexDkDHkJ5ABEBAAGJBHIEGAEKACYWIQQnFRE0
BkV1+e9HjLaNUj8z5TCyXQUCaR3XggIbAgUJAsfqAAJACRCNUj8z5TCyXcF0IAQZ
AQoAHRYhBGbaxTyX8yVqwfM5k1qPc7f9lnsvBQJpHdeCAAoJEFqPc7f9lnsvgiIP
/2EeW3sueHj9wAaPUNFePXT+Dx9exU4kUOQShCc0EEtC6phey3S8fHnBFs/G1Lo+
qh2G01oaUO+FZz1m4jfprSeAmS6+BD87qPOVv9/KNHob3u5YduDl/3PIvkEP7FcY
JfpbXpWIaUF3uHIkAeHl9hPEPNEhwU9nl6OMHvXb1eYY405r+nKlKcIlmguB2K9t
BDWZcCDPJtDQj8atBfddsJgPzWnmjKal/Xm3ZW1bw+irK24VQtOH8j8NjD1khQi/
us2IKFGJJ+NcCpjapW/+vxuOsCquiSAmsFFkOWz3InQxO6CWq4lIWjhm5P/nR5aB
Xt0GFOh7kGS1mvd1W3V77LJ0pclTIO7tZn4pYazoXw3z1I12jtOr3SwQ4CPgforL
JNs9JrmU70MgxridR6/eGhkBb2t32WrDuzabiQejhFb+S36JoBFV7FsV+Ni/EzFx
Nmglbka2C8rMidRUsCrUhjE0Cl4cYkYVNwsPM5M2X7IASVe5UiJ5HIlkmuGhNeK+
yyVFpLHh+zcoBQEe5LXKNVK8L/eJC6fsM/IXTDp3WmdcrgBnEkUqOu5iWGKd7rOL
dHSyeMz3jv3s1Lo24cKvp/eKue2yjUKOEZG3cYhnINCpO8EdvofEZwm+GcbjUxdG
1dVobuX0lB8PrGTlwbQqbIKEpsphgKFHx2MlPl+quSgoHWkP/1DJbcMmkTDZKlVd
XlJv/hou1cBU7wgwYLRB7fleDHzzkyz9K8cMP4los7PYlfZVtrubsmLlz+Gdhwhs
sIX5JPovuJm0NJRydE7pvH6HKnnVCjaa3TU1QpsqdsaZ4fGPEguUUY7pZ82+8NuB
5U3m/ZU4L2ijraxtrWOJ0IKA5b4jUoXR4eN01Lrzbjnb80+ZB1iR72NB9G8VxWoc
wz0CXXcrsmG0Sh0OFjJtBBO9m3xTAaq79uW7x/CCxhDUW+ZYRhVz9xRGynu94NxR
hyUXOc6D/jx8virAWLmonX2rW8zyC9WbWbMgTdeBI5q6W411uYSj6ejQq84VRqjQ
EMCaZUL3+i/ReD7b8L90O2bXs5iO6mhTy86M2t+gvvht9J9WEFe6FwX1V2N8oQc7
tsVBf5kN4rr9MgLg2KfBIQqnH3sIZRIB71oeyfakEDS7VmvU4HUpHdX3mO51BIMq
VKOFF3HPUMycDkUconDuYpHLIMiYwolafU6hYGL18XBk5M/NCrOu5BjE6SlQEPGK
JGVd22D56n0+fUEM6KG0UnqoqZlcnbyjdbcYxY3/9SeLMKD3/wawgqDbf6+BWq0H
mQ43c7f4VyU5ecvrpKywSG7uLo0qEq/ha/u9r4mp+YMy11r8Mw3be5ENF/PHkovP
jhWSRJ+cvwVAy1LHz1Dzc/zlA3GG
=x4KN
-----END PGP PUBLIC KEY BLOCK-----
7 changes: 7 additions & 0 deletions signature/gpg/revocations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# GPG Key Revocations

Any primary public keys that have been revoked should be placed within the `revocations` folder.

If a primary keypair has been lost or destroyed, its revocation certificate should be placed within the `revocations` folder.

Once one of the above two steps has been taken for the revoked keypair, the release action and install scripts will distribute the revocations to prevent users from installing new software signed using the revoked keypair.
Empty file added signature/gpg/revocations/.keep
View file
Open in desktop
Empty file.
Loading