unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity

fix(flatpak): sign the OSTree commit, not just the summary
apple / swift (push) Successful in 54s
Details
android / android (push) Has been cancelled
Details
ci / web (push) Successful in 33s
Details
ci / rust (push) Successful in 4m22s
Details
ci / bench (push) Failing after 4m25s
Details
decky / build-publish (push) Successful in 14s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 17s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 37s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 20s
Details
deb / build-publish (push) Successful in 6m45s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m36s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m4s
Details
docker / deploy-docs (push) Successful in 6s
Details
flatpak / build-publish (push) Successful in 4m6s
Details
ci / docs-site (push) Successful in 30s
Details

Browse Source 
Install failed with "GPG verification enabled, but no signatures found" on the
commit: the deploy step only ran build-update-repo (signs the summary). Add
`flatpak build-sign` to sign the commit objects too — clients with
gpg-verify=true verify the commit, so summary-only signing isn't enough.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-18 22:10:07 +00:00
parent 1cd5e0e375
commit 586c4d0ddc
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/flatpak.yml
+6 -1
View File
@@ -158,10 +158,15 @@ jobs:
echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)." echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)."
exit 0 exit 0
fi fi
# 1) Import the signing key into a throwaway keyring; sign the repo (commits + summary). # 1) Import the signing key into a throwaway keyring; sign the repo.
export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME" export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME"
echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')" KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')"
# build-sign signs the COMMIT objects; build-update-repo signs the SUMMARY. Both are
# required — clients with gpg-verify=true verify the commit, so summary-only signing
# fails the pull with "GPG verification enabled, but no signatures found".
flatpak build-sign "$PWD/repo" "$APP_ID" stable \
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME"
flatpak build-update-repo --generate-static-deltas \ flatpak build-update-repo --generate-static-deltas \
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo" --gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo"
# 2) Build the install descriptors (GPGKey = the committed public key, base64). # 2) Build the install descriptors (GPGKey = the committed public key, base64).