Add gpg-sign step to drone

[sapk]

@go-gitea/owners need to add secrets (gpgsign_key, gpgsign_passphrase) to make this work and disclose the public part to be usefull ^^.
Friendly ping to @tboerger who develop the drone plugin.

Fix #4182
Related #4167

[techknowlogick]

should we sign the compressed files too?

[sapk]

Since they should be extract to be usefull ? It is possible but it is un-needed I think but if someone want it we can.

[techknowlogick]

I think it might be a good idea because if perhaps someone replaces the compressed file with perhaps a zip bomb. Signing the compressed file means they can check it before they extract.

[sapk]

done

[tboerger]

Only the xz files are getting uploaded, right? Than only sign *.xz

[daviian]

That's only a cosmetical improvement and can be added anytime. I don't see a need to delay this milestone any further.

[tboerger]

I can merge the gpgsign plugin, but to tag a release I have to be home

[daviian]

As long as we can merge and release RC today I'm fine

[tboerger]

Merged gpgsign PR and triggered a release => https://beta.drone.io/drone-plugins/drone-gpgsign/11

[sapk]

@lunny @tboerger done.

[codecov-io]

Codecov Report

Merging #4188 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #4188   +/-   ##
=======================================
  Coverage   20.09%   20.09%           
=======================================
  Files         153      153           
  Lines       30696    30696           
=======================================
  Hits         6168     6168           
  Misses      23586    23586           
  Partials      942      942

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 212fef0...bc76a71. Read the comment docs.

[sapk]

Steps to generate the key and import it :

# Generate key
gpg --full-generate-key 
 > 1 RSA et RSA
 > 4096
 > 0 (we could setup a expiration date but not necessary)
 > y
 > Gitea Drone Build System
 > [email protected]
 > y
 > (Provide a good random passphrase)

gpg --export-secret-keys -a LONG_KEY_ID_DISPLAY_AT_END_OF_GENERATION > path/to/private.key

# Import in drone
drone secret add --repository go-gitea/gitea --name gpgsign_key --value $(base64 -i path/to/private.key) --event push --event tag --image plugins/gpgsign
drone secret add --repository go-gitea/gitea --name gpgsign_passphrase --value password-for-key --event push --event tag --image plugins/gpgsign

# Disclose public key to every one
gpg --armor --export LONG_KEY_ID_DISPLAY_AT_END_OF_GENERATION > release_key.pub

[tboerger]

Please use sub keys, follow a guide like https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/ to generate GPG keys. Than you can also increase the trust of the endless valid key and use a sub signing key with a limited lifetime for signing the builds.

Beside that the public key should be uploaded to the keyservers and also been provided via the download server.

[daviian]

Do we really need the push event here?
Since release only happens on tagging, it should be sufficient here as well?

[lunny]

https://dl.gitea.io/gitea/master

[tboerger]

Now there is also a PR to provide some documentation for the gpgsign plugin: drone/drone-plugin-index#129

[tboerger]

Now you can add the excludes attribute and simplify this step :D

[lunny]

Wait util I setup drone.