Remove GPG and Checksum from Gradle steps, into github actions

mendhak · Nov 7, 2024 · 03401f9 · 03401f9
1 parent 3019a7c
commit 03401f9
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 26 deletions.
diff --git a/.github/workflows/generate-release-apk.yml b/.github/workflows/generate-release-apk.yml
@@ -42,23 +42,34 @@ jobs:
           SIGNING_KEY_ALIAS: ${{ secrets.SIGNING_KEY_ALIAS }}
           SIGNING_KEY_PASSWORD: ${{ secrets.SIGNING_KEY_PASSWORD }}
           SIGNING_STORE_PASSWORD: ${{ secrets.SIGNING_STORE_PASSWORD }}
-      - name: Sign and Checksum APK
-        run: ./gradlew copyFinalAPK -Psigning.gnupg.passphrase=${{ secrets.GPG_SIGNING_PASSWORD }} -Psigning.gnupg.executable=gpg 
-      - name: List the files
-        run: |
-          tree gpslogger/build/outputs/   
-          ls -lah gpslogger/ 
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        with:
-          subject-path: gpslogger/gpslogger-*.apk
+      - name: Copy and rename the APK
+        run: ./gradlew copyFinalAPK -Psigning.gnupg.passphrase=${{ secrets.GPG_SIGNING_PASSWORD }} -Psigning.gnupg.executable=gpg
       - name: Get APK and WORKFLOW REF
         id: references
         run: |
           APK_FILE_NAME=$(find gpslogger/ -maxdepth 1 -name "gpslogger-*.apk" -print -quit | xargs basename)
-          logIndex=$(jq -r '.verificationMaterial.tlogEntries[0].logIndex' < ${{ steps.attest.outputs.bundle-path }})
           echo "APK_FILE_NAME=$APK_FILE_NAME" >> "$GITHUB_OUTPUT"
           echo "GITHUB_WORKFLOW_REF=$GITHUB_WORKFLOW_REF" >> "$GITHUB_OUTPUT"
+      - name: GPG Sign the APK
+        run: |
+          gpg --pinentry-mode loopback --passphrase ${{ secrets.GPG_SIGNING_PASSWORD }}  --yes -ab --output  gpslogger/${{ steps.references.outputs.APK_FILE_NAME }}.asc gpslogger/${{ steps.references.outputs.APK_FILE_NAME }}
+      - name: Checksum the APK
+        run: |
+          cd gpslogger 
+          sha256sum gpslogger-132-rc2.apk > gpslogger-132-rc2.apk.SHA256
+      - name: Cosign Attestation of the APK
+        uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-path: gpslogger/gpslogger-*.apk
+      - name: List the files
+        run: |
+          tree gpslogger/build/outputs/   
+          ls -lah gpslogger/
+      - name: Get LOGINDEX
+        id: logindex
+        run: |
+          logIndex=$(jq -r '.verificationMaterial.tlogEntries[0].logIndex' < ${{ steps.attest.outputs.bundle-path }})
           echo "REKOR_LOGINDEX=$logIndex" >> "$GITHUB_OUTPUT"
       - name: Copy cosign bundle
         run: cp ${{ steps.attest.outputs.bundle-path }} gpslogger/${{ steps.references.outputs.APK_FILE_NAME }}.cosign.bundle
@@ -84,7 +95,7 @@ jobs:
             cosign verify-blob ${{ steps.references.outputs.APK_FILE_NAME }} --bundle ${{ steps.references.outputs.APK_FILE_NAME }}.cosign.bundle --new-bundle-format --cert-oidc-issuer https://token.actions.githubusercontent.com --cert-identity https://github.com/${{ steps.references.outputs.GITHUB_WORKFLOW_REF }}
             ```
             
-            [Rekor transparency log](https://search.sigstore.dev?logIndex=${{ steps.references.outputs.REKOR_LOGINDEX }})
+            [Rekor transparency log](https://search.sigstore.dev?logIndex=${{ steps.logindex.outputs.REKOR_LOGINDEX }})
           files: |
             gpslogger/gpslogger-*.apk
             gpslogger/gpslogger-*.apk.asc

diff --git a/gpslogger/build.gradle b/gpslogger/build.gradle
@@ -17,8 +17,8 @@ buildscript {
 //Android
 apply plugin: 'com.android.application'
 
-//Generating PGP
-apply plugin: 'signing'
+////Generating PGP
+//apply plugin: 'signing'
 //Generating colorful output
 apply from: 'buildtools/ColoredOutput.gradle'
 project.ext.set("GHACTIONS_FOLDING", true)
@@ -307,18 +307,18 @@ task copyFinalAPK(group:'build') {
             fileName.replace("gpslogger-release.apk", finalApkName)
         }
     }
-        //PGP Sign
-        //Verify with gpg --verify ~/Downloads/gpslogger-71.apk.asc
-    if(file(finalApkName).isFile()){
-        signing {
-            useGpgCmd()
-            sign file(finalApkName)
-        }
-
-        //SHA256 Checksum
-        //Verify with sha256sum -c ~/Downloads/gpslogger-71.apk.SHA256
-        ant.checksum(file: finalApkName, fileext: '.SHA256', algorithm: "SHA-256", pattern: "{0} {1}")
-    }
+//        //PGP Sign
+//        //Verify with gpg --verify ~/Downloads/gpslogger-71.apk.asc
+//    if(file(finalApkName).isFile()){
+//        signing {
+//            useGpgCmd()
+//            sign file(finalApkName)
+//        }
+//
+//        //SHA256 Checksum
+//        //Verify with sha256sum -c ~/Downloads/gpslogger-71.apk.SHA256
+//        ant.checksum(file: finalApkName, fileext: '.SHA256', algorithm: "SHA-256", pattern: "{0} {1}")
+//    }
 
 }