chore: remove nix flakes, add SECURITY.md, sign releases using PGP

cbrgm · cbrgm · commit d59134339b0b · 2026-02-12T02:13:40.000+01:00
diff --git a/.anvil.lock b/.anvil.lock
@@ -1,5 +1,5 @@
 {
-  "generated_at": "2026-02-11T09:46:34.649665422Z",
+  "generated_at": "2026-02-12T01:12:52.55929482Z",
   "version": "1.3.1",
   "files": [
     {
@@ -84,10 +84,7 @@
       "path": "Makefile"
     },
     {
-      "path": "flake.lock"
-    },
-    {
-      "path": "flake.nix"
+      "path": "SECURITY.md"
     }
   ]
 }
diff --git a/.github/workflows/go-binaries.yml b/.github/workflows/go-binaries.yml
@@ -38,6 +38,17 @@ jobs:
         id: release
         run: make release
 
+      - name: Sign release
+        id: gpgsign
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: cbrgm/pgp-sign-artifact-action@v1
+        with:
+          private_key: ${{ secrets.GNUPG_KEY }}
+          passphrase: ${{ secrets.GNUPG_PASSWORD }}
+          detach_sign: true
+          files: dist/*
+          excludes: dist/*.sha256
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         if: startsWith(github.ref, 'refs/tags/')
diff --git a/Makefile b/Makefile
@@ -92,7 +92,11 @@ $(BIN)/$(EXECUTABLE)-debug: $(SOURCES)
 	$(GOBUILD) -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -gcflags '$(GCFLAGS)' -o $@ ./cmd/$(NAME)
 
 .PHONY: release
-release: $(DIST) release-linux release-darwin release-windows
+release: $(DIST) release-linux release-darwin release-windows release-checksum
+
+.PHONY: release-checksum
+release-checksum:
+	cd $(DIST); $(foreach file,$(wildcard $(DIST)/$(EXECUTABLE)_*),sha256sum $(notdir $(file)) > $(notdir $(file)).sha256;)
 
 $(DIST):
 	mkdir -p $(DIST)
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,101 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release is actively supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+| < latest | :x:               |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly:
+
+1. **Do not** open a public GitHub issue
+2. Send an email to **github@cbrgm.net** with:
+   - A description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Any suggested fixes (optional)
+
+You can expect:
+- An acknowledgment within 48 hours (at least I try to, since I'm doing this in my freetime)
+- Regular updates on the progress
+- Credit in the security advisory (unless you prefer to remain anonymous)
+
+## Verifying Release Signatures
+
+All release binaries are signed with PGP. To verify a release:
+
+### 1. Import the Public Key
+
+```bash
+gpg --import <<'EOF'
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGmNIX8BEACwa36sCFVDDnIVnNZHqLYKoj0eZn1SoWXhVQKxR1QYniFeq8+u
+5KZ/5INXhWzUT8jpoh/2lzxBg6IT8dTXdmZ1vgM0s3KtJp+uNPmmggYlx69rwtVi
+PE0JOeCMtlbM70SCVM86eHA9gdXyXqBT1OERdkq1EfNshWz4MFJWDXNcx5VksHpY
+MJHrSfENOIjnYOjyI88OEtIs1XSKCEFbWfNh//Tbk4DsO07wwi5G2QLFRt1rZM3d
+SHNAo+s+qDc3oLZCQ5KBPKpPETO9PgwCfaRLQ1TGSTyQUr3Ok06rpdjyp9OD4bw5
+Vs4apWFNiJ7xkofbyOoi5zrrkrQMWhHhrCHYcuvvVvrHrsAVcv2t+nzXbKy7GXcO
+xT3xeggT7ohmNR7QBn7flKHvucVj6HI+879l7U0KoX/m4gvWNQufHu9mYFCiW9C3
+L4P3onf503FPQgMhptt3R+OQLQcnFDu+78lpVNQDNeRwc4XqedUEGFpBhzO3DQJO
+dHshlty6GSMtG+N50dpjpetmFg4RG/fI4sdyYAZoiXyfcnzXu9Q4QVMmhr9QgnWs
+Mf9skQ54sPLwLk5xBjrQK7HE0Mr5aUTCMtybVYApb9Ft1XJ2Z9FpKz2mNnbw9HXv
+/8i+WQ2i3yvC5PN0pPezZBSgDf3r9J14sHUqDiHSZt84LQ1T9meirl2iXQARAQAB
+tCVDaHJpc3RpYW4gQmFyZ21hbm4gPGdpdGh1YkBjYnJnbS5uZXQ+iQJRBBMBCAA7
+FiEE3iykF4aUXFzBL19DXx8YVj5HZmYFAmmNIX8CGwMFCwkIBwICIgIGFQoJCAsC
+BBYCAwECHgcCF4AACgkQXx8YVj5HZmYomxAAiUof2u9yvxeJXy6TNYIpcJqvsKw4
+++DJ5m+PH0v8qBATYvYqqpN3CNG7OyoM4OM8ziBVwwSno0A7tB7fE6vzBi/Znij9
+Sni6neJk48FL2mTDI+Z/RHOf1b2zGFKgnS7V2IpTWXbMW/OKzSy5xxgOIg9VEdRT
+rJGPqquSoRf12YCQe76aNibMRIeK9Npq/DbVAtD7g+g1sbNI9rkuFEav+ehAXtNk
+hPexwG0k2hILwG2ljKJ4mCocvIl5jR7e+fnrp0E7COYP0qH7Ou8mTowPjIozlG7J
+5ZNuIMVW1KAQtM4n0UIHMG72uB0G30oMA5WZIXCI3NqxudlznTmoJgGrHIrKRMu7
+TT6w2rLG6xTdX96Q/boeIBOHI2riQVEN55pswPoXBTTadFzKQ4bQnot4JXXs0oBj
+L4DfLhC0bBOnGSFBoEeTqrjHmSszdWjEi6hEskMcKqqXDnsQj2p9E0axXtYbU8JF
+NZSoZ+b9M+2bqzq2JsDZJBJocmTkXH13mZYtmr1wTOVI8TaKe9OuKnv7kOKTLWDf
+wslay7US3LuGSziUAb0BIBJWMcZs/ou+W5wT85iLOjkiEvnUx8J5rR137Xl72ZUk
+Z46Jit0Zi3BnADqx0Q6pJfDgRlQ/R7adpm6DLTLVl/+LWH5aNy+U7nSBQ+bFimnJ
+dnWz3mMJWwgwNeE=
+=fBYq
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+```
+
+Alternatively, fetch the key from a keyserver:
+
+```bash
+gpg --keyserver keys.openpgp.org --recv-keys DE2CA41786945C5CC12F5F435F1F18563E476666
+```
+
+### 2. Verify the Key Fingerprint
+
+Ensure the key fingerprint matches:
+
+```
+pub   rsa4096 2026-02-12 [SC]
+      DE2C A417 8694 5C5C C12F  5F43 5F1F 1856 3E47 6666
+uid           [ultimate] Christian Bargmann <github@cbrgm.net>
+```
+
+### 3. Verify a Release
+
+```bash
+# Verify the signature
+gpg --verify <binary>.asc <binary>
+
+# Verify the checksum
+sha256sum -c <binary>.sha256
+```
+
+## Security Best Practices
+
+When using this project:
+
+- Always verify release signatures before deploying
+- Keep dependencies up to date
+- Review the changelog before upgrading
+- Pin to specific versions in production environments (!)
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "generated_at": "2026-02-11T09:46:34.649665422Z",`
	`2`	`+ "generated_at": "2026-02-12T01:12:52.55929482Z",`
`3`	`3`	`"version": "1.3.1",`
`4`	`4`	`"files": [`
`5`	`5`	`{`
`@@ -84,10 +84,7 @@`
`84`	`84`	`"path": "Makefile"`
`85`	`85`	`},`
`86`	`86`	`{`
`87`		`- "path": "flake.lock"`
`88`		`- },`
`89`		`- {`
`90`		`- "path": "flake.nix"`
	`87`	`+ "path": "SECURITY.md"`
`91`	`88`	`}`
`92`	`89`	`]`
`93`	`90`	`}`