fix(flatpak): sign the OSTree commit, not just the summary

Install failed with "GPG verification enabled, but no signatures found" on the
commit: the deploy step only ran build-update-repo (signs the summary). Add
`flatpak build-sign` to sign the commit objects too — clients with
gpg-verify=true verify the commit, so summary-only signing isn't enough.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-18 22:10:07 +00:00
parent 8da8037b35
commit f4c0e7e805
+6 -1
View File
@@ -158,10 +158,15 @@ jobs:
echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)." echo "::warning::FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* not set — skipping repo deploy (bundle still published)."
exit 0 exit 0
fi fi
# 1) Import the signing key into a throwaway keyring; sign the repo (commits + summary). # 1) Import the signing key into a throwaway keyring; sign the repo.
export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME" export GNUPGHOME="$(mktemp -d)"; chmod 700 "$GNUPGHOME"
echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')" KEYID="$(gpg --list-keys --with-colons | awk -F: '/^fpr:/{print $10; exit}')"
# build-sign signs the COMMIT objects; build-update-repo signs the SUMMARY. Both are
# required — clients with gpg-verify=true verify the commit, so summary-only signing
# fails the pull with "GPG verification enabled, but no signatures found".
flatpak build-sign "$PWD/repo" "$APP_ID" stable \
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME"
flatpak build-update-repo --generate-static-deltas \ flatpak build-update-repo --generate-static-deltas \
--gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo" --gpg-sign="$KEYID" --gpg-homedir="$GNUPGHOME" "$PWD/repo"
# 2) Build the install descriptors (GPGKey = the committed public key, base64). # 2) Build the install descriptors (GPGKey = the committed public key, base64).