ci(github): verify commit #13
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify Commit Signatures | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| - develop | |
| push: | |
| branches: | |
| - master | |
| - develop | |
| jobs: | |
| verify-commit-signature: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Import GPG key | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Get author email and name | |
| AUTHOR_EMAIL=$(git log -1 --pretty='format:%ae') | |
| AUTHOR_NAME=$(git log -1 --pretty='format:%an') | |
| # Create GPG configuration directory | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| # Updated GPG Configuration for Compatibility and Security | |
| cat > ~/.gnupg/gpg.conf << EOL | |
| # Digest Preferences | |
| personal-digest-preferences SHA256 | |
| cert-digest-algo SHA256 | |
| default-preference-list SHA256 SHA384 SHA512 AES256 AES192 AES | |
| # Keyserver and Trust | |
| keyserver hkps://keys.openpgp.org | |
| no-autostart | |
| use-agent | |
| # Security Enhancements | |
| require-cross-certification | |
| EOL | |
| # Configure GPG agent | |
| mkdir -p ~/.gnupg/private-keys-v1.d | |
| chmod 700 ~/.gnupg/private-keys-v1.d | |
| # Debugging: Print configuration | |
| echo "GPG Configuration:" | |
| cat ~/.gnupg/gpg.conf | |
| # Try multiple methods to fetch the GPG key | |
| echo "Attempting to fetch GPG key..." | |
| # Method 1: Fetch from GitHub user's GPG key page | |
| GPG_KEY_URL="https://github.com/${{ github.actor }}.gpg" | |
| echo "Trying to fetch key from: $GPG_KEY_URL" | |
| curl -s "$GPG_KEY_URL" | gpg --import - || true | |
| # Method 2: Fetch from GitHub API | |
| gh api users/${{ github.actor }}/gpg_keys | jq -r '.[] .raw_key' | gpg --import - || true | |
| # List imported keys with detailed information | |
| echo -e "\nImported GPG Keys:" | |
| gpg --list-keys --keyid-format LONG | |
| gpg --list-signatures | |
| # Verify key information | |
| echo -e "\nKey Details:" | |
| gpg --list-keys "$AUTHOR_EMAIL" || true | |
| - name: Comprehensive Signature Verification | |
| run: | | |
| # Get the latest commit hash | |
| LATEST_COMMIT=$(git rev-parse HEAD) | |
| # Verbose commit and signature information | |
| echo "Commit Details:" | |
| git log -1 --pretty=fuller | |
| echo -e "\n--- Signature Verification ---" | |
| # Attempt to verify commit signature with verbose output | |
| git verify-commit "$LATEST_COMMIT" || true | |
| # Multiple signature status checks | |
| echo -e "\n--- Signature Status Checks ---" | |
| SIGNATURE_STATUS=$(git log --format='%G?' -n 1 "$LATEST_COMMIT") | |
| echo "Signature Status: $SIGNATURE_STATUS" | |
| # Detailed signature information | |
| echo -e "\n--- Signature Details ---" | |
| git log --show-signature -1 | |
| # Comprehensive status check | |
| if [ "$SIGNATURE_STATUS" == "G" ] || [ "$SIGNATURE_STATUS" == "U" ]; then | |
| echo "✅ Signature is good and verified." | |
| else | |
| echo "❌ Bad signature detected." | |
| exit 1 | |
| fi |