@@ -127,12 +127,10 @@ jobs:
127127 name : conan-packages-${{ matrix.platform }}-${{ matrix.arch }}
128128 path : dist/*
129129
130- # Job to create a DRAFT release (only for release branches)
131130 create-draft :
132131 name : Create Draft Release
133132 needs : [prepare, package]
134133 runs-on : ubuntu-latest
135- # This job only runs for branches like 'release/2.X'
136134 # if: startsWith(github.ref_name, 'release/2.') # uncomment later, now for testing
137135 steps :
138136 - name : Generate Write-Access App Token
@@ -155,6 +153,28 @@ jobs:
155153 with :
156154 name : release-notes
157155
156+ - name : Setup GPG
157+ run : |
158+ echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
159+ echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --local-user "${{ secrets.GPG_KEY_ID }}" --armor --detach-sign -o /dev/null /dev/null
160+
161+ name : Generate and Sign Checksums
162+ id : checksum
163+ run : |
164+ CHECKSUM_FILE="${{ needs.prepare.outputs.conan_version }}-SHA-256.txt"
165+ cd dist
166+ # Use find to avoid issues with too many arguments for sha256sum
167+ find . -type f -name 'conan-*' -exec sha256sum {} + > $CHECKSUM_FILE
168+ echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign --local-user "${{ secrets.GPG_KEY_ID }}" $CHECKSUM_FILE
169+ cd ..
170+ echo "checksum_file_name=$CHECKSUM_FILE" >> $GITHUB_OUTPUT
171+
172+ name : Verify Signed Checksums
173+ run : |
174+ echo "Verifying GPG signature..."
175+ echo "${{ secrets.GPG_PUBLIC_KEY }}" | gpg --batch --import
176+ gpg --verify dist/${{ steps.checksum.outputs.checksum_file_name }}.asc dist/${{ steps.checksum.outputs.checksum_file_name }}
177+
158178name : List downloaded files
159179 run : |
160180 ls
0 commit comments