feat: Sign Linux packages and distribute GPG public key with release

.github/workflows/release-test.yml

@@ -166,7 +166,10 @@ jobs:
       - name: Create artifact archive
         run: |
           mkdir artifacts
+          mkdir artifacts/gpg
           cp ./scripts/install/*.sh ./artifacts
+          cp ./signature/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
+          cp -r ./signature/gpg/revocations ./artifacts/gpg/revocations
           cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
           cp ./dist/*tar.gz ./artifacts
           cp ./windows-archive/windows_amd64/*.zip ./artifacts

.github/workflows/release.yml

@@ -178,7 +178,10 @@ jobs:
       - name: Create artifact archive
         run: |
           mkdir artifacts
+          mkdir artifacts/gpg
           cp ./scripts/install/*.sh ./artifacts
+          cp ./signature/gpg/bdot-public-gpg-key.asc ./artifacts/gpg/bdot-public-gpg-key.asc
+          cp -r ./signature/gpg/revocations ./artifacts/gpg/revocations
           cp ./observiq-otel-collector.msi/observiq-otel-collector.msi ./artifacts
           cp ./dist/*tar.gz ./artifacts
           cp ./windows-archive/windows_amd64/*.zip ./artifacts
@@ -195,6 +198,8 @@ jobs:
         run: |
           gsutil cp ./scripts/install/install_unix.sh gs://bdot-release/latest/install_unix.sh
           gsutil cp ./scripts/install/install_macos.sh gs://bdot-release/latest/install_macos.sh
+          gsutil cp ./signature/gpg/bdot-public-gpg-key.asc gs://bdot-release/latest/gpg/bdot-public-gpg-key.asc
+          gsutil cp -r ./signature/gpg/revocations gs://bdot-release/latest/gpg/revocations/
       - name: Upload artifact bundle to release
         uses: AButler/upload-release-assets@v2.0
         with:

.goreleaser.gpg.yml

@@ -79,6 +79,9 @@ archives:
       - src: release_deps/windows_service.json
         dst: install
         strip_parent: true
+      - src: release_deps/gpg/*
+        dst: gpg
+        strip_parent: true
     format_overrides:
       - goos: windows
         format: zip

.goreleaser.yml

@@ -4,7 +4,7 @@ project_name: observiq-otel-collector
 
 before:
   hooks:
-    - make release-prep CURR_VERSION={{ .Version }}
+    - make release-prep-gpg CURR_VERSION={{ .Version }}
 
 # https://goreleaser.com/customization/build/
 builds:
@@ -88,6 +88,9 @@ archives:
       - src: release_deps/com.observiq.collector.plist
         dst: "install"
         strip_parent: true
+      - src: release_deps/gpg/*
+        dst: gpg
+        strip_parent: true
 
 nfpms:
   - id: collector
@@ -741,6 +744,7 @@ release:
     - glob: "./observiq-otel-collector*.msi.sig"
     - glob: "./scripts/install/install_unix.sh"
     - glob: "./scripts/install/install_macos.sh"
+    - glob: "./release_deps/gpg-keys.zip"
 
 # https://console.cloud.google.com/storage/browser/bdot-release
 blobs:
@@ -752,6 +756,7 @@ blobs:
       - glob: "./observiq-otel-collector*.msi.sig"
       - glob: "./scripts/install/install_unix.sh"
       - glob: "./scripts/install/install_macos.sh"
+      - glob: "./release_deps/gpg-keys.zip"
 
 # https://goreleaser.com/customization/changelog/
 changelog:

Makefile

@@ -242,11 +242,18 @@ release-prep:
 	@echo 'v$(CURR_VERSION)' > release_deps/VERSION.txt
 	./buildscripts/download-dependencies.sh release_deps
 	@cp -r ./plugins release_deps/
+	@cp -r ./signature/gpg release_deps/gpg
+	@rm release_deps/gpg/revocations.md
 	@cp config/example.yaml release_deps/config.yaml
 	@cp config/logging.yaml release_deps/logging.yaml
 	@cp service/com.observiq.collector.plist release_deps/com.observiq.collector.plist
 	@jq ".files[] | select(.service != null)" windows/wix.json >> release_deps/windows_service.json
 
+.PHONY: release-prep-gpg
+release-prep-gpg:
+	$(MAKE) release-prep
+	@cd release_deps/gpg && zip -r ../gpg-keys.zip .
+
 # Build and sign, skip release and ignore dirty git tree
 .PHONY: release-test
 release-test:

signature/gpg/bdot-public-gpg-key.asc

@@ -0,0 +1,87 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGkcxWUBEADa+YPrVwO4J3g6ELtLQUyixx4nbIa88bD8lpxztTfizMLczxMv
+tlMGhDUgRPg7LJjebNq+C9XdcNjrce2PntVj8BNpXx+D8Qidxe+m0vM/BVs5EDp4
+MHB8WIT+LVVPqAJB3970Joj7xNv9I6kqEB3KAp9S47/RFA8w/mi8ca+heH2N4yEs
+SkcroDZvspjg7RdfoEn1YN6WVvfcT21nB/bsWnW+m78XOQXl0oodTFoidligsYkq
+XxawY5jzNTtJ5mQPk+X3ip4dFPN+S7w2FPbvOJS0vI94q1pdwEtzDkwGXjyZsHFi
+bVG2DnaYEsP5W3Tc7dUMBdD2VMWM3T4GKd6WlgTas9RM8mU14Izo2CmqY7waDVia
+cIDbN2DYfl2WQHzsOBu2Fu07Otr1fQrFR91Nk4LyUtkxPHk+cXVUzt0VYVuQE52d
+xc/6DwzSeiJ5J+pFyKHjMqUF0xZkO1trz3u9N8BK5eA68DMTxdlYbYQRh/pXyMtP
+3RoQqHvK5ZrHqzWJ97p4lWBV+XjkOzV8HHkM0AzRNB6Hqy/PXnXGRiFxeo/sQVpw
+IhWh3TTROnmmcY3Ap82Nz3zo61ED/6Tc0dBIYz0+LaXtOABNBCsdcaPtF/mCGY/r
+eIFgvBcPhU0KC6i6BNQ0XhPpOTvhVw/wAaq0zhVh+hmuzaK22i4L7859cwARAQAB
+tEdCRE9UIChQcmltYXJ5IGtleXBhaXIgZm9yIHRoZSBCRE9UIGNvbGxlY3Rvcikg
+PGlhbi5hZGFtc0BiaW5kcGxhbmUuY29tPokCTgQTAQoAOBYhBEbtUFEwhCTXWq6t
+gPssnupKodZMBQJpHMVlAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEPss
+nupKodZMWWAQALDLqAmK/57+ncCfJmcpa9jliBsGHJ7UbFEbHjhZq5Ij9k2t82fM
+Pp3qcmJTD2rzcE2KsBhm3yExMkUcTk8FcYLuRJsWOpqLqovtTOG4BNhzCZthlrn+
+vanJvKew+qvZdd/Fryo0aojUm2B6s5dgFSF+PUHnsO5bETWwR40PrRZD/BiWDH1X
+d3Styw8GmYu+7z8EBBrutW2TCblc03OMvGbS7NX820Kuak6HpjrJ1eKERPvWkJId
+tAN5qZteYaHNB71+RDKKFqsLBIexHFJ0l9IZ2DCO75EZ7qcQRNSHwPqPLLSgFMjy
+8x3fB/JWsA2l4KoL0NL4cde02kSgzVLJMuZq6IFEMQwMFtY2e9m+Xw/IcNmGQiLq
+CsXsw32zOa9oTtMiq9UYJMepS6dV3qHUNBUxtteqsjo+JLPuGi0XHEQwMFwvsJcC
+iwfUUU5IcqgyUSnceVNlLU9M0wPHMALLwyQZ6FO34Y+BzrsTygK8FAGJq6LUlbqf
+LWN7yq+d4vm7v71V/SpdiMWdR29OM8gUgrlbHMMctgmA4f8GTMZ2ei4uMtwLU9VF
+ZIzNBE/0Q5OvJb1KBrls2qxshnIbkOP0P9qkRNUZ0jrAcHsexp8JthMPWKiw27iH
+fckET4gGdvhvb5QBF6yRnX1s+goo3vHZGI3raYU099e5t/8IW+LQqjWduQINBGkc
+xWUBEADbxkdcs9ZZlW9thGlquphzmQC6DVAe8ScJ4sUAtPJsGs41R//Uo3yoRWJZ
+vD4ENv0+6MQms7kLe94hYrx05Hiy1I+fQBfvOt3soFQzIj2/+/hW2MKynwpzwqTs
+UKeengqCaAMpVjJCjp/aPKLKKxIANmka4dWe2ib+cKTHLQpelQlSeH6XzFZ9eOkK
+ywp69cdwXL/Ex3bacKauiY0h4WTfti23Gtxno/fmjVy+WsszJS3rNbmdQZqE1+Ze
+7WkKJkDS7lhC27TuoKtb3mE/zjFOHouDzhkBUp97DDi+zOEE4vCbHlwS9HXDDzYT
+lr4skEU3WU+V/v0g2muDtNWMoSMIJsttG739dSv8NHAItzdKIX/uhXrn4Hkvmdav
+vVY2JE40Jzzjj9GZDBihxEtjZg+oxJadSFEQcqZoDWNSUj3ErsrvqZJ/2u/JhWzd
+lUXo/Bbvqg83W7foxGg5IgR+BtiRfZ62SxagnNEYF7UCiU4qFm3nft67lMUi1YBN
+TV2pL1MKzYudt2U9c4CyEX1CYvsbw5SQSBAHW0b5CKpQJxQCx1ryOtEc7JnVi52j
+JtdCLld0MaLLkKg1ME375hE1N+ZzVFqNV6QvBqSRXSQARu4Muzh/0aQxjkP3uiV2
+bRHJ7VSILrEgbLYifVIAgskCRc3kqAtbo7p4ekFIwNYVUa7i9QARAQABiQI2BBgB
+CgAgFiEERu1QUTCEJNdarq2A+yye6kqh1kwFAmkcxWUCGwwACgkQ+yye6kqh1kyc
+gw/+Lw0ENmEBfw3Zu83LIKfiRn/nr1lFztJvAEj8/kKCBNFw17x02UUD4SSGdsIS
+7FonunaMybUh6n8JtJN023CFug3YODbvUZbmWqaPQir5TUROBf+QdRPxSWfEAlFg
+ENrDmeqAogDfMF5G9lO2DybvCkrfNJLw6i3z/nd4u9Djgelfpq3fUHr/BJ9OGo6D
+ZZBJ9HRa8tslWLbJL/uEXtNMKDNy/Drwgal9KhRejN7bmVtBuuwV+9Qdf6nJl7H3
+vb6U+nj1cUWM8sGnk9YG0JQ7bkpgJBEhKU5C+IbqltZHwbXpIknJQDA/Ja1LQyIj
+UtDzvknngO0QBRnj8Nigdkj3w9PsFXJkITnKKE5gfUCed+/bZ5mNFuj+1HJPb3El
+eeBvO9Hly+8xR+4DqXPcca05cwo4z6MG2+W1UqHp0ojeHXMvQYSshVpC1MdkQrbn
+AW1x1oHwiXtv8iw8meea0kA0Y88oQ7MNDwedlmM1JxNTwcJF1MMvH91GgFg8JJzi
+qOcacBmj3v3UaHzW/FAdgQRfrhXwsJfTkO2wLWbHnNjOit/XZXiWDDYl1Z9qd0+s
+hVy8c324gsy5mR58RAE22bgvVd75FP6Lqw6BkxyQk6Z1T4CYw5puVTBPi90qgq/j
+Ne+SZXiC8PlDOVFErPRiZV/HcubYEYXzUMH+wPkkvaCvXiO5Ag0EaRzVbgEQAKNM
+gU7rrqnaNWdbQ/QDfdrYCGBgZdESu2j3CUigakovK8mcjtj/KFtcGdTtqEAbBlxv
+Xq9/mMHyRHs39U6BMfvAjrWxbbKLSFGRKk1+JnWmVIfUjWCZecMQ7nPy1j6osBqX
+tFeeRxtES7T8lP2z6yJ0pr0/ZQcijG8K1bPRmfksLGTQd9xjPIXOBeeZZealZjiF
+KoQzxjIsUoN+ymV/nivoblzE33O/n8tNiOw1yxieeMSdg7/hzL4st2VlvO3qK1RF
+8pdkSkrKd/GCnN7HRwCklTGYdzujh9k0D9UBa0romV4/qJIYCyMUEJjXVzdGUrkd
+Mgsg3W2uXP+gfVx2n89ARYhu3qIJuWw7AmzkSVmZAUrHGWLrjlmfG9OcupaNT028
+o8C+OCAnJzNlGMUdedVsJV6RtbJLoLA4xHKkSXZKhuqEy2z5Y5VL9Kagwo2YpM7h
+AajwdWYe7GOonzVV/xx7NeVYdar6trTRZDqKy+eE01ZlhsD/6w+nP+Qa3Nr1M+kv
+3rSVKLnoKtLj+LikZzpKLuEzQSPGp8dHXZ7jRbRFIjPB8DYZ9cKrOi8SH0SyQY7e
+mJZ42m7qBtCDMZnUdzNipcLFG7nhpknX9vYk1TIyM5C9Cp5YbhxZltuH2TSrhxc3
+JA0XpzERQA1NjjmFeLbsm2O8BFBxzV60ZamOtdSxABEBAAGJBHIEGAEKACYWIQRG
+7VBRMIQk11qurYD7LJ7qSqHWTAUCaRzVbgIbAgUJAsfqAAJACRD7LJ7qSqHWTMF0
+IAQZAQoAHRYhBEi2nsPGR5yLQC+e6IPhAsXrn8bEBQJpHNVuAAoJEIPhAsXrn8bE
+QXAP/RaaZY0t8aXHMIMjqnhK8zkMsm1AqKxwi7JBBBu1KgWSQvswe1MviS0QR3Cn
+exPRGkhHSd+MfP9Sw0OxvE5hfsKK0NM9cnD6Zgd9sjP5eaaGjEa5Rd3h5jnYvJsA
+HEw2vy2bUQjL0VaxirbrvFmP47+HSJ1uXsLIS2TKeVmvtQjrh3x8YqCDdXmy4vPc
+COPLYRXS95Bskav6/5p8PIJ7IZlDEDMD8nsEwjCQP29wtoqRY/6TFae0f0Q1TjbU
+cI51hoBLeArKbyBcsJ/kfXHG/Uuc4ZIcYqNLgl+FYUeIx3S1TJXGMrX7NWXRGwKg
+uXqQKtx4A4rsMuimqFA20tD1/zV/05gtwnl5ifWSQJFz7JtTze1CKY1YjOlXSWUN
+qC+bEwRJVMyAir43hl2LhSnTEU6Og+cC0j8pSX+BVXxFNlZbU/DkXeZry73r+God
+XO5SIRsArG3NC9exgG2Ou2NZMGqd9nXLY6cqdqLNr/5oh3bqGQbzPllijwqBnv54
+blSFLBl2eFZ4PBW02VO2IRDS6sE1+RQ2QM6FO2pqhLfZIdOIbFkr4J5TIY18V2Tt
+6/d78ctN3vPKycL1wr5U+boUBOAFbXyxhzarckFOQRU+rbrCRV1CrEFD2rs0+mQK
+iot03qsDSkIIWC57TO8IdaP1bxQxvAJxOZzMEcde51LNmiedeKAQAIInxlbeBlzJ
+AzuJbs3FYUc3a1dgrbps+9c/6DPswuy9PqzZactdKFetJW1+DUCVT67U5+/S/Twl
+5M4RLN/IHqJz+HFMCovMuAl30uSNKJiMBfuiKV9N9m8c7kulDfU5fz0etHXu4dEc
+piKskUna57OXXavQuwO5fAy2X0Tcx6C+Hp1rV7niT6yrs7WT9gxg2bcbidk5Avjr
+cR1YIFN4OXPl77ndpStYsW46aQbw96ojv7I+PdgxaDHxseX3ix1Pb159V0ATnl1q
+cUim52mDFQYlme3V3Bq7e0dUCr8hMPVi2VxKcu87vfSvv+GTFO5im+o+3O7NpBP0
+NP8DMx2aMBZqjTBNp/d5lZxqJjHUOHujHVMFLCl2UTCksSCdYGJVVP3bNP2nGbFq
+ZdUea/IyCKbD7YYZeTSDAxHYtGpocAGoa1eMg4OUm5alCidag3cPjcJ7QF+axHAQ
+V1EIlgGozufLIEan4FYw5b1PZlxqeReFD4MbCDZEh5bsfX58MtcbHW2IXjCydTNR
+UKoLK8/cG3/KpGfXO8MkHV4myuq44TjUSkNjttbGdgajpP5CsPcHkBciBUXO+weX
+0wBNL9biSvLC/n9eoYX1y/yEIhP0TenSh8elxQaAIkzW7kLQdnWDCdXiLlevNgU8
+J8ou98jsYb6bLlenuyiMQVBgNDk1NxzZ
+=VtDX
+-----END PGP PUBLIC KEY BLOCK-----

signature/gpg/revocations.md

@@ -0,0 +1,7 @@
+# GPG Key Revocations
+
+Any primary public keys that have been revoked should be placed within the `revocations` folder.
+
+If a primary keypair has been lost or destroyed, its revocation certificate should be placed within the `revocations` folder.
+
+Once one of the above two steps has been taken for the revoked keypair, the release action and install scripts will distribute the revocations to prevent users from installing new software signed using the revoked keypair.