ign with multiple keys: import three keys at once

igorpecovnik · igorpecovnik · commit 9111639624c1 · 2025-06-22T20:53:20.000+02:00
diff --git a/.github/workflows/pack-debian.yml b/.github/workflows/pack-debian.yml
@@ -36,18 +36,32 @@ on:
         type: string
 
     secrets:
-      GPG_PRIVATE_KEY:
-        required: true
-      PASSPHRASE:
-        required: true
-      SSH_KEY_TORRENTS:
+      PRIMARY_KEY:
+        required: false
+      PRIMARY_PASS:
+        required: false
+      SECONDARY_KEY:
+        required: false
+      SECONDARY_PASS:
         required: false
-      KNOWN_HOSTS_UPLOAD:
+      TERTIARY_KEY:
         required: false
+      TERTIARY_PASS:
+        required: false
+
+env:
+  PRIMARY_KEY: ${{ secrets.PRIMARY_KEY }}
+  PRIMARY_PASS: ${{ secrets.PRIMARY_PASS }}
+  SECONDARY_KEY: ${{ secrets.SECONDARY_KEY }}
+  SECONDARY_PASS: ${{ secrets.SECONDARY_PASS }}
+  TERTIARY_KEY: ${{ secrets.TERTIARY_KEY }}
+  TERTIARY_PASS: ${{ secrets.TERTIARY_PASS }}
 
 jobs:
 
   prepare:
+    name: Prepare releases
+    if: ${{ github.repository_owner == 'Armbian' }}
     runs-on: ubuntu-latest
     outputs:
       matrix: ${{ steps.prep.outputs.matrix }}
@@ -178,23 +192,49 @@ jobs:
           path: repository
           ref: repository
 
-      - name: Import GPG key
-        id: import_gpg
+      - name: Import PRIMARY GPG key
+        id: import_gpg_primary
+        if: env.PRIMARY_KEY != ''
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.PRIMARY_KEY }}
+          passphrase: ${{ secrets.PRIMARY_PASS || '' }}
+
+      - name: Import SECONDARY GPG key
+        id: import_gpg_secondary
+        if: env.SECONDARY_KEY != ''
         uses: crazy-max/ghaction-import-gpg@v6
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.PASSPHRASE }}
+          gpg_private_key: ${{ secrets.SECONDARY_KEY }}
+          passphrase: ${{ secrets.SECONDARY_PASS || '' }}
+
+      - name: Import TERTIARY GPG key
+        id: import_gpg_tertiary
+        if: env.TERTIARY_KEY != ''
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.TERTIARY_KEY }}
+          passphrase: ${{ secrets.TERTIARY_PASS || '' }}
+
+      - name: Add fingerprint to summary
+        if: env.TERTIARY_KEY != ''
+        run: |
+          echo "### 🔐 TERTIARY GPG Key Info" >> $GITHUB_STEP_SUMMARY
+          echo "- Fingerprint: \`${{ steps.import_gpg_tertiary.outputs.fingerprint }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Key ID: \`${{ steps.import_gpg_tertiary.outputs.keyid }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- User: \`${{ steps.import_gpg_tertiary.outputs.name }} <${{ steps.import_gpg_tertiary.outputs.email }}>\`" >> $GITHUB_STEP_SUMMARY
 
       - name: Configure git identity
         working-directory: repository
+        env:
+          GPG_TTY: ${{ env.GPG_TTY || '/dev/tty' }}
         run: |
 
-          echo "Testing signing" | gpg --sign --armor
-
-          gpg -K
-          echo "#"
-          git config user.name github-actions
-          git config user.email github-actions@github.com
+          echo "Available GPG keys:" >> $GITHUB_STEP_SUMMARY
+          gpg --list-secret-keys --keyid-format LONG >> $GITHUB_STEP_SUMMARY
+          #cho "data" | gpg --armor --batch --yes --local-user DF00FAF1C577104B50BF1D0093D6889F9F0E78D5 --sign # need password
+          # echo "data" | gpg --armor --batch --yes --local-user B4A41B81566CC20009232FE45CD410F6B3CBB6BB --sign # need password
+          #cho "data" | gpg --armor --batch --yes --local-user 8CFA83D13EB2181EEF5843E41EB30FAF236099FE --sign
 
       - name: Deploy packages
         run: |
@@ -214,7 +254,6 @@ jobs:
           Architectures: amd64 arm64 armhf riscv64
           Components: main
           Description: Armbian development repo
-          SignWith: DF00FAF1C577104B50BF1D0093D6889F9F0E78D5
           EOD
 
           # Determine a list of binary debs to include in the repo
@@ -242,7 +281,24 @@ jobs:
           echo "Repository generated at ${REPO_DIR}/"
           fi
 
+          echo "Sign repo"
+          GPG_PARAMETERS=(
+            "--yes"
+            "--armor"
+            "-u" "DF00FAF1C577104B50BF1D0093D6889F9F0E78D5" # Igor Pecovnik (Ljubljana, Slovenia) <igor.pecovnik@gmail.com>
+            "-u" "8CFA83D13EB2181EEF5843E41EB30FAF236099FE" # Armbian Repository Signing Key (Repository Key) <info@armbian.com>
+          )
+          for i in ${REPO_DIR}/dists/*/Release
+          do
+            DISTRO_PATH="$(dirname "$i")"
+            echo $DISTRO_PATH
+            gpg "${GPG_PARAMETERS[@]}" --clear-sign -o "$DISTRO_PATH/InRelease" "$i"
+            gpg "${GPG_PARAMETERS[@]}" --detach-sign -o "$DISTRO_PATH/Release.gpg" "$i"
+          done
+
           cd ${REPO_DIR}
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
           git add .
           git commit -m "Updating repo" || true
           git push origin repository || true
