fix(flatpak): sign the OSTree commit, not just the summary
apple / swift (push) Successful in 54s
android / android (push) Has been cancelled
ci / web (push) Successful in 33s
ci / rust (push) Successful in 4m22s
ci / bench (push) Failing after 4m25s
decky / build-publish (push) Successful in 14s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 17s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 37s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 20s
deb / build-publish (push) Successful in 6m45s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m36s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m4s
docker / deploy-docs (push) Successful in 6s
flatpak / build-publish (push) Successful in 4m6s
ci / docs-site (push) Successful in 30s
apple / swift (push) Successful in 54s
android / android (push) Has been cancelled
ci / web (push) Successful in 33s
ci / rust (push) Successful in 4m22s
ci / bench (push) Failing after 4m25s
decky / build-publish (push) Successful in 14s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 17s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 37s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 20s
deb / build-publish (push) Successful in 6m45s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m36s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m4s
docker / deploy-docs (push) Successful in 6s
flatpak / build-publish (push) Successful in 4m6s
ci / docs-site (push) Successful in 30s
Install failed with "GPG verification enabled, but no signatures found" on the commit: the deploy step only ran build-update-repo (signs the summary). Add `flatpak build-sign` to sign the commit objects too — clients with gpg-verify=true verify the commit, so summary-only signing isn't enough. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -158,10 +158,15 @@ jobs:
|
||||
echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)."
|
||||
exit 0
|
||||
fi
|
||||
# 1) Import the signing key into a throwaway keyring; sign the repo (commits + summary).
|
||||
# 1) Import the signing key into a throwaway keyring; sign the repo.
|
||||
export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME"
|
||||
echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
|
||||
KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')"
|
||||
# build-sign signs the COMMIT objects; build-update-repo signs the SUMMARY. Both are
|
||||
# required — clients with gpg-verify=true verify the commit, so summary-only signing
|
||||
# fails the pull with "GPG verification enabled, but no signatures found".
|
||||
flatpak build-sign "$PWD/repo" "$APP_ID" stable \
|
||||
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME"
|
||||
flatpak build-update-repo --generate-static-deltas \
|
||||
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo"
|
||||
# 2) Build the install descriptors (GPGKey = the committed public key, base64).
|
||||
|
||||
Reference in New Issue
Block a user