Cryptographic signatures are used to give some minimal validation that files have not changed unexpectedly.
All CI runners have access to a private key
that is used to sign all Release Build workflow artifacts.
The set of runners currently includes GitHub hosted runners,
and private runners provisioned by Lamdera.
The public key is stored in keys/gpg-actions.pub
and is used by dev/build.sh publish-*
to verify the downloaded binaries before publishing.
- Remove the old key:
rm ./keys/github-actions.pub
- Create the new key:
minisign -G -W -s ./XXX_NEW_PRIVATE_KEY -p ./keys/github-actions.pub
- Get the private key:
cat ./XXX_NEW_PRIVATE_KEY | base64- Copy the result as the value of
MINISIGN_PRIVATE_KEYat https://github.com/avh4/elm-format/settings/secrets/actions
- Securely delete the private key:
shred -uvz XXX_NEW_PRIVATE_KEY
- Check in the changes to
./keys/github-actions.pub - Push to a branch whose name starts with "release/" to trigger the Build Release workflows, and make sure they succeed.