From c5e97d5bae049406bc1b492205978a2d4404462d Mon Sep 17 00:00:00 2001
From: Arijit Basu <sayanarijit@gmail.com>
Date: Fri, 4 Jun 2021 23:36:25 +0530
Subject: [PATCH] Sign releases with pgp

Closes: https://github.com/sayanarijit/xplr/issues/131
---
 .github/workflows/cd.yml | 43 ++++++++++++++++++++++++++++++----------
 Cargo.lock               |  2 +-
 Cargo.toml               |  2 +-
 src/lua.rs               |  9 +++++----
 4 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index d9c47c9..ccb9ae4 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -15,7 +15,6 @@ jobs:
         os:
           - macos-latest
           - ubuntu-latest
-          # - windows-latest
         rust: [stable]
         include:
           - os: macos-latest
@@ -26,10 +25,6 @@ jobs:
             artifact_prefix: linux
             target: x86_64-unknown-linux-gnu
             binary_postfix: ""
-          # - os: windows-latest
-          #   artifact_prefix: windows
-          #   target: x86_64-pc-windows-msvc
-          #   binary_postfix: ".exe"
 
     steps:
       - name: Installing Rust toolchain
@@ -54,6 +49,11 @@ jobs:
           toolchain: ${{ matrix.rust }}
           args: --locked --release --target ${{ matrix.target }}
 
+      - name: Install gpg secret key
+        run: |
+          cat <(echo -e "${{ secrets.GPG_SECRET }}") | gpg --batch --import
+          gpg --list-secret-keys --keyid-format LONG
+
       - name: Packaging final binary
         shell: bash
         run: |
@@ -62,17 +62,40 @@ jobs:
           strip $BINARY_NAME
           RELEASE_NAME=xplr-${{ matrix.artifact_prefix }}
           tar czvf $RELEASE_NAME.tar.gz $BINARY_NAME
-          if [[ ${{ runner.os }} == 'Windows' ]]; then
-            certutil -hashfile $RELEASE_NAME.tar.gz sha256 | grep -E [A-Fa-f0-9]{64} > $RELEASE_NAME.sha256
-          else
-            shasum -a 256 $RELEASE_NAME.tar.gz > $RELEASE_NAME.sha256
-          fi
+          shasum -a 256 $RELEASE_NAME.tar.gz > $RELEASE_NAME.sha256
+          cat <(echo "${{ secrets.GPG_PASS }}") | gpg --pinentry-mode loopback --passphrase-fd 0 --detach-sign --armor $RELEASE_NAME.tar.gz
+
       - name: Releasing assets
         uses: softprops/action-gh-release@v1
         with:
           files: |
             target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.tar.gz
             target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.sha256
+            target/${{ matrix.target }}/release/xplr-${{ matrix.artifact_prefix }}.tar.gz.asc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish-gpg-signature:
+    name: Publishing GPG signature
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Install gpg secret key
+        run: |
+          cat <(echo -e "${{ secrets.GPG_SECRET }}") | gpg --batch --import
+          gpg --list-secret-keys --keyid-format LONG
+
+      - name: Signing archive with GPG
+        run: |
+          VERSION=${GITHUB_REF##*/}
+          git archive -o xplr-${VERSION:?}.tar.gz --format tar.gz --prefix "xplr-${VERSION:?}/" "v${VERSION}"
+          cat <(echo "${{ secrets.GPG_PASS }}") | gpg --pinentry-mode loopback --passphrase-fd 0 --detach-sign --armor "xplr-${VERSION:?}.tar.gz"
+
+      - name: Releasing GPG signature
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            xplr-${GITHUB_REF##*/}.tar.gz.asc
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/Cargo.lock b/Cargo.lock
index 51377e8..cbafd00 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1048,7 +1048,7 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
 [[package]]
 name = "xplr"
-version = "0.13.1"
+version = "0.13.2"
 dependencies = [
  "ansi-to-tui",
  "anyhow",
diff --git a/Cargo.toml b/Cargo.toml
index c9394a0..20b65fd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "xplr"
-version = "0.13.1"  # Update lua.rs
+version = "0.13.2"  # Update lua.rs
 authors = ["Arijit Basu <sayanarijit@gmail.com>"]
 edition = "2018"
 description = "A hackable, minimal, fast TUI file explorer"
diff --git a/src/lua.rs b/src/lua.rs
index dd36d94..34b8522 100644
--- a/src/lua.rs
+++ b/src/lua.rs
@@ -133,10 +133,11 @@ mod test {
         assert!(check_version(VERSION, "foo path").is_ok());
         assert!(check_version("0.13.0", "foo path").is_ok());
         assert!(check_version("0.13.1", "foo path").is_ok());
+        assert!(check_version("0.13.2", "foo path").is_ok());
 
-        assert!(check_version("0.13.2", "foo path").is_err());
-        assert!(check_version("0.14.1", "foo path").is_err());
-        assert!(check_version("0.11.1", "foo path").is_err());
-        assert!(check_version("1.13.1", "foo path").is_err());
+        assert!(check_version("0.13.3", "foo path").is_err());
+        assert!(check_version("0.14.2", "foo path").is_err());
+        assert!(check_version("0.11.2", "foo path").is_err());
+        assert!(check_version("1.13.2", "foo path").is_err());
     }
 }