From 586c4d0ddcf0a55bd6ab792e9ad4a0eaf7dee2d2 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Thu, 18 Jun 2026 22:10:07 +0000 Subject: [PATCH] fix(flatpak): sign the OSTree commit, not just the summary MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Install failed with "GPG verification enabled, but no signatures found" on the commit: the deploy step only ran build-update-repo (signs the summary). Add `flatpak build-sign` to sign the commit objects too — clients with gpg-verify=true verify the commit, so summary-only signing isn't enough. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/flatpak.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/flatpak.yml b/.gitea/workflows/flatpak.yml index c3b3c52..590eae4 100644 --- a/.gitea/workflows/flatpak.yml +++ b/.gitea/workflows/flatpak.yml @@ -158,10 +158,15 @@ jobs: echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)." exit 0 fi - # 1) Import the signing key into a throwaway keyring; sign the repo (commits + summary). + # 1) Import the signing key into a throwaway keyring; sign the repo. export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME" echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')" + # build-sign signs the COMMIT objects; build-update-repo signs the SUMMARY. Both are + # required — clients with gpg-verify=true verify the commit, so summary-only signing + # fails the pull with "GPG verification enabled, but no signatures found". + flatpak build-sign "$PWD/repo" "$APP_ID" stable \ + --gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" flatpak build-update-repo --generate-static-deltas \ --gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo" # 2) Build the install descriptors (GPGKey = the committed public key, base64).