chore: add comments and invoke the sign_with_gpg.sh script from publish.sh

jdomeracki-coder · jdomeracki-coder · commit 90e69dfa736e · 2025-07-08T14:50:17.000+02:00
diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -20,6 +20,9 @@
 # binary will be signed using ./sign_darwin.sh. Read that file for more details
 # on the requirements.
 #
+# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh.
+# Read that file for more details on the requirements.
+#
 # If the --agpl parameter is specified, builds only the AGPL-licensed code (no
 # Coder enterprise features).
 #
diff --git a/scripts/release/publish.sh b/scripts/release/publish.sh
@@ -129,26 +129,9 @@ if [[ "$dry_run" == 0 ]] && [[ "${CODER_GPG_RELEASE_KEY_BASE64:-}" != "" ]]; the
 	log "--- Signing checksums file"
 	log
 
-	# Import the GPG key.
-	old_gnupg_home="${GNUPGHOME:-}"
-	gnupg_home_temp="$(mktemp -d)"
-	export GNUPGHOME="$gnupg_home_temp"
-	echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --import 1>&2
-
-	# Sign the checksums file. This generates a file in the same directory and
-	# with the same name as the checksums file but ending in ".asc".
-	#
-	# We pipe `true` into `gpg` so that it never tries to be interactive (i.e.
-	# ask for a passphrase). The key we import above is not password protected.
-	true | gpg --detach-sign --armor "${temp_dir}/${checksum_file}" 1>&2
-
-	rm -rf "$gnupg_home_temp"
-	unset GNUPGHOME
-	if [[ "$old_gnupg_home" != "" ]]; then
-		export GNUPGHOME="$old_gnupg_home"
-	fi
-
+	execrelative ../sign_with_gpg.sh "$checksum_file"
 	signed_checksum_path="${temp_dir}/${checksum_file}.asc"
+
 	if [[ ! -e "$signed_checksum_path" ]]; then
 		log "Signed checksum file not found: ${signed_checksum_path}"
 		log
diff --git a/scripts/sign_with_gpg.sh b/scripts/sign_with_gpg.sh
@@ -5,7 +5,7 @@
 #
 # Usage: ./sign_with_gpg.sh path/to/binary
 #
-# On success, the input file will be signed using the GPG key.
+# On success, the input file will be signed using the GPG key and the signature output file will moved to /site/out/bin/ (happens in the Makefile)
 #
 # Depends on the GPG utility. Requires the following environment variables to be set:
 #  - $CODER_GPG_RELEASE_KEY_BASE64: The base64 encoded private key to use.
@@ -20,12 +20,10 @@ FILE_TO_SIGN="$1"
 
 if [[ -z "$FILE_TO_SIGN" ]]; then
 	echo "Usage: $0 <file_to_sign>"
-	exit 1
 fi
 
 if [[ ! -f "$FILE_TO_SIGN" ]]; then
 	echo "File not found: $FILE_TO_SIGN"
-	exit 1
 fi
 
 # Import the GPG key.
@@ -58,5 +56,4 @@ if [[ $verification_result -eq 0 ]]; then
 	echo "${FILE_TO_SIGN}.asc"
 else
 	echo "Signature verification failed!" >&2
-	exit 1
 fi

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,9 @@`
`20`	`20`	`# binary will be signed using ./sign_darwin.sh. Read that file for more details`
`21`	`21`	`# on the requirements.`
`22`	`22`	`#`
	`23`	`+# If the --sign-gpg parameter is specified, the output binary will be signed using ./sign_with_gpg.sh.`
	`24`	`+# Read that file for more details on the requirements.`
	`25`	`+#`
`23`	`26`	`# If the --agpl parameter is specified, builds only the AGPL-licensed code (no`
`24`	`27`	`# Coder enterprise features).`
`25`	`28`	`#`