build: Generate .asc files for release packages (fixes #8897)

1 files changed, 22 insertions, 1 deletions

diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml
index 5ec8df7cc..7669978eb 100644
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -419,7 +419,7 @@ jobs:
           path: syncthing-source-*.tar.gz
 
   #
-  # Sign binaries for auto upgrade
+  # Sign binaries for auto upgrade, generate ASC signature files
   #
 
   sign-for-upgrade:
@@ -432,6 +432,7 @@ jobs:
       - package-linux
       - package-macos
       - package-cross
+      - package-source
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -460,9 +461,29 @@ jobs:
           mv packages-*/* packages
           pushd packages
           "$GITHUB_WORKSPACE/tools/sign-only"
+          rm -f "$PRIVATE_KEY"
         env:
           STSIGTOOL_PRIVATE_KEY: ${{ secrets.STSIGTOOL_PRIVATE_KEY }}
 
+      - name: Create and sign .asc files
+        run: |
+          sudo apt update
+          sudo apt -y install gnupg
+
+          export SIGNING_KEY="$RUNNER_TEMP/gpg-secret.asc"
+          echo "$GNUPG_SIGNING_KEY_BASE64" | base64 -d > "$SIGNING_KEY"
+          gpg --import < "$SIGNING_KEY"
+
+          pushd packages
+          files=(*.tar.gz *.zip)
+          sha1sum "${files[@]}" | gpg --clearsign > sha1sum.txt.asc
+          sha256sum "${files[@]}" | gpg --clearsign > sha256sum.txt.asc
+          gpg --sign --armour --detach syncthing-source-*.tar.gz
+          popd
+          rm -f "$SIGNING_KEY" .gnupg
+        env:
+          GNUPG_SIGNING_KEY_BASE64: ${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}
+
       - name: Archive artifacts
         uses: actions/upload-artifact@v3
         with: