From 5806804ae31b425189f2d9a891a1c79ab601bd77 Mon Sep 17 00:00:00 2001 From: Gaspard Kirira Date: Tue, 10 Feb 2026 13:31:41 +0300 Subject: [PATCH] v1.34.49: passwordless minisign CI key + secure gitignore --- .github/workflows/release.yml | 7 +------ .gitignore | 5 +++++ minisign_ci.pub | 2 ++ 3 files changed, 8 insertions(+), 6 deletions(-) create mode 100644 minisign_ci.pub diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f9582c..2a6b931 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -460,7 +460,6 @@ jobs: shell: bash env: MINISIGN_PRIVATE_KEY_B64: ${{ secrets.MINISIGN_PRIVATE_KEY_B64 }} - MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }} run: | set -euxo pipefail cd dist @@ -479,13 +478,9 @@ jobs: printf "%s" "$MINISIGN_PRIVATE_KEY_B64" | base64 -d > "$keyfile" test -s "$keyfile" - # clé minisign chiffrée -> password obligatoire - test -n "${MINISIGN_PASSWORD:-}" || { echo "MINISIGN_PASSWORD missing" >&2; exit 1; } - for f in vix-*.tar.gz vix-*.zip; do [ -f "$f" ] || continue - # IMPORTANT: pas de -x (c'est le chemin du .minisig), et on envoie un vrai newline - printf '%s\n' "$MINISIGN_PASSWORD" | "$MS" -S -s "$keyfile" -m "$f" + "$MS" -S -s "$keyfile" -m "$f" done rm -f "$keyfile" diff --git a/.gitignore b/.gitignore index 0edd615..a2ce605 100644 --- a/.gitignore +++ b/.gitignore @@ -77,3 +77,8 @@ create-labels.sh *.key *.minisig *.sha256 +# minisign private keys (CI) +*.key +*.key.b64 +minisign_ci.key +minisign_ci.key.b64 diff --git a/minisign_ci.pub b/minisign_ci.pub new file mode 100644 index 0000000..4e136c9 --- /dev/null +++ b/minisign_ci.pub @@ -0,0 +1,2 @@ +untrusted comment: minisign public key 3BD72CED2937E88 +RWSIfpPSznK9A1gWUc8Eg2iXXQwU5d9BYuQNKGOcoujAF2stPu5rKFjQ