change nfpms signing to embedded

Author: Benjosh95

.github/workflows/release.yaml

@@ -41,6 +41,11 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
+      - name: Create GPG key file
+        run: |
+          echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg-private-key.asc
+          chmod 600 gpg-private-key.asc
+      
       - name: Set up keychain
         run: |
           echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
@@ -71,7 +76,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_KEY_PATH: ./gpg-private-key.asc
 
+      - name: Clean up GPG key file
+        run: |
+          rm -f gpg-private-key.asc
+      
       # artifacts need to be passed to the "publish-apt" job somehow
       - name: Upload artifacts to workflow
         uses: actions/upload-artifact@v4

.goreleaser.yaml

@@ -98,18 +98,26 @@ nfpms:
     formats:
       - deb
       - rpm
+    # The package is signed if a key_file is set
+    signature:
+      # PGP secret key file path (can also be ASCII-armored).
+      #
+      # See "Signing key passphrases" below for more information.
+      #
+      # Templates: allowed.
+      key_file: "{{ .Env.GPG_KEY_PATH }}"
 
-signs:
-  - artifacts: package
-    args:
-      [
-        "-u",
-        "{{ .Env.GPG_FINGERPRINT }}",
-        "--output",
-        "${signature}",
-        "--detach-sign",
-        "${artifact}",
-      ]
+# signs:
+#   - artifacts: package
+#     args:
+#       [
+#         "-u",
+#         "{{ .Env.GPG_FINGERPRINT }}",
+#         "--output",
+#         "${signature}",
+#         "--detach-sign",
+#         "${artifact}",
+#       ]
 
 # homebrew_casks:
 #   - name: stackit

scripts/publish-rpm-packages.sh

@@ -25,27 +25,30 @@ mkdir -p rpm-repo/aarch64
 # Copy RPM packages and signatures to appropriate architecture directories
 printf "\n>>> Copying RPM packages and signatures to architecture directories \n"
 
+# Copy RPM packages to appropriate architecture directories
+printf "\n>>> Copying RPM packages to architecture directories \n"
+
 # Copy x86_64 packages (amd64)
-for file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm*; do
-    if [ -f "$file" ]; then
-        cp "$file" rpm-repo/x86_64/
-        printf "Copied $(basename "$file") to x86_64/\n"
+for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm; do
+    if [ -f "$rpm_file" ]; then
+        cp "$rpm_file" rpm-repo/x86_64/
+        printf "Copied $(basename "$rpm_file") to x86_64/\n"
     fi
 done
 
 # Copy i386 packages
-for file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm*; do
-    if [ -f "$file" ]; then
-        cp "$file" rpm-repo/i386/
-        printf "Copied $(basename "$file") to i386/\n"
+for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm; do
+    if [ -f "$rpm_file" ]; then
+        cp "$rpm_file" rpm-repo/i386/
+        printf "Copied $(basename "$rpm_file") to i386/\n"
     fi
 done
 
 # Copy aarch64 packages (arm64)
-for file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm*; do
-    if [ -f "$file" ]; then
-        cp "$file" rpm-repo/aarch64/
-        printf "Copied $(basename "$file") to aarch64/\n"
+for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm; do
+    if [ -f "$rpm_file" ]; then
+        cp "$rpm_file" rpm-repo/aarch64/
+        printf "Copied $(basename "$rpm_file") to aarch64/\n"
     fi
 done