commit 5e97dfc62b2c26cd6f483b06c1f5b034307c9791
author Josh Bleecher Snyder <josharian@gmail.com> Fri Jul 11 18:14:07 2025 +0000
committer Josh Bleecher Snyder <josharian@gmail.com> Fri Jul 11 14:56:19 2025 -0700
tree 459cd8afe14721c1aae4676c68aa225877c33e2d
parent 61fa306b9a6e7677b63b66e3599f5fe5af2015a7

.goreleaser.yml: add binary-only releases and ed25519 signatures

This lays the groundwork for future secure self-updates.
The corresponding public key is in selfupdate/ed25519.pem.

Co-Authored-By: sketch <hello@sketch.dev>
Change-ID: s5b7440b1a9e2c5e3k

.github/workflows/release-build.yml

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index d511538..d35e58f 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -30,6 +30,21 @@
           go-version-file: "${{ inputs.working-directory || '.'}}/go.mod"
           cache: true
 
+      - name: Install selfupdatectl
+        run: go install github.com/fynelabs/selfupdate/cmd/selfupdatectl@v0.2.1
+
+      - name: Extract Ed25519 signing key
+        env:
+          SELFUPDATE_SIGNING_KEY_B64: ${{ secrets.SELFUPDATE_ED25519_PRIVATE_KEY }}
+        run: |
+          # when https://github.com/fynelabs/selfupdate/issues/39 is fixed, we can stop writing to disk
+          set -euo pipefail
+          [[ -z "${SELFUPDATE_SIGNING_KEY_B64:-}" ]] && { echo >&2 "Signing key secret missing"; exit 1; }
+          selfupdate_keyfile=$(mktemp "$RUNNER_TEMP/ed25519.XXXXXX")
+          chmod 600 "$selfupdate_keyfile"
+          echo "$SELFUPDATE_SIGNING_KEY_B64" | base64 -d > "$selfupdate_keyfile"
+          echo "SELFUPDATE_PRIVKEY_PATH=$selfupdate_keyfile" >>"$GITHUB_ENV"
+
       - name: Check for changes since last tag
         id: check_changes
         run: |
@@ -100,3 +115,10 @@
             });
         env:
           TAG: ${{ steps.check_changes.outputs.tag }}
+
+      - name: Clean up signing key
+        if: always()
+        run: |
+          if [[ -n "${SELFUPDATE_PRIVKEY_PATH:-}" && -f "$SELFUPDATE_PRIVKEY_PATH" ]]; then
+            shred -u "$SELFUPDATE_PRIVKEY_PATH"
+          fi

.goreleaser.yml

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 71b255a..ddc4407 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -36,6 +36,19 @@
     files:
       - README.md
       - LICENSE
+  - id: releaseBinary
+    format: binary
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+
+signs:
+  - id: ed25519-sign
+    cmd: selfupdatectl
+    args:
+      - "sign"
+      - "--private-key={{.Env.SELFUPDATE_PRIVKEY_PATH}}"
+      - "${artifact}"
+    signature: "${artifact}.ed25519"
+    artifacts: all
 
 release:
   github:

selfupdate/ed25519.pem

diff --git a/selfupdate/ed25519.pem b/selfupdate/ed25519.pem
new file mode 100644
index 0000000..15dfa4b
--- /dev/null
+++ b/selfupdate/ed25519.pem
@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAV4E+fJoShyziYCA5HjaafxIEX0DzIzwPwTyKOlappE8=
+-----END PUBLIC KEY-----