How to GPG sign a file that is built by Travis-CI

Question

I see that Travis has a workflow for encrypting a files, here.

My use case is slightly simpler, I just want to generate a signature for a file that has been built on Travis-CI. Say:

hello-0.0.1-a.bin.asc
hello-0.0.1-a.bin
pubkey.gpg 
<or> hello-0.0.1-a.pub

In this case hello-0.0.1-a.bin is created by a Travis build, and will be pushed to Github as a release. Likewise the signature must also be pushed to Github as a release (i.e. under the same tag).

I don't strongly care (i.e. not a deal breaker) if the private/public key-pair is unique to that build. But it would be ideal if the private/public key-pair is shared between builds.

Appreciate and hints tips or incantations.

Answer 1

It basically comes down to a few steps.

1. Export the secret keys from your gpg keyring gpg --export-secret-keys > all.gpg
2. Use the travis ruby gem to encrypt-file the gpg keyring (ex all.gpg)
3. Add all.gpg.enc to your repo (NOT the unencrypted all.gpg)
4. Make sure that the repo can access secure variables

5. Add this line to your .travis.yml file to decrypt your encrypted private signing key

   openssl aes-256-cbc -K $encrypted_0a6446eb3ae3_key -iv $encrypted_0a6446eb3ae3_key -in all.gpg.enc -out all.gpg -d

6. Import the gpg keys gpg --import all.gpg

7. Sign your image gpg --output hello.bin.asc --sign hello.bin

$ travis encrypt-file all.gpg --add
encrypting all.gpg for rkh/travis-encrypt-file-example
storing result as all.gpg.enc
storing secure env variables for decryption

Make sure to add all.gpg.enc to the git repository.
Make sure not to add all.gpg to the git repository.
Commit all changes to your .travis.yml.