Removed GPG signing

strombetta · strombetta · commit 32a8d2d00255 · 2026-02-04T17:15:42.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -243,36 +243,20 @@ jobs:
         env:
           MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }}
           MINISIGN_PUB: ${{ secrets.MINISIGN_PUB }}
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
           set -euo pipefail
 
           if [ -z "${MINISIGN_KEY:-}" ] || [ -z "${MINISIGN_PUB:-}" ]; then
             echo "Missing minisign secrets (MINISIGN_KEY / MINISIGN_PUB)." >&2
             exit 1
           fi
-          if [ -z "${GPG_PRIVATE_KEY:-}" ]; then
-            echo "Missing GPG_PRIVATE_KEY secret." >&2
-            exit 1
-          fi
 
           mkdir -p out dist
           printf '%s' "$MINISIGN_KEY" | base64 -d > out/minisign.key
           printf '%s' "$MINISIGN_PUB" | base64 -d > out/minisign.pub
           chmod 600 out/minisign.key
           cp out/minisign.pub dist/minisign.pub
 
-          export GNUPGHOME
-          GNUPGHOME="$(mktemp -d)"
-          trap 'rm -rf "$GNUPGHOME"' EXIT
-          printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import
-          key_id="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec" {print $5; exit}')"
-          if [ -z "$key_id" ]; then
-            echo "No GPG secret key imported." >&2
-            exit 1
-          fi
-
           mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z)
           if [ "${#files[@]}" -eq 0 ]; then
             echo "No toolchain tarballs found under dist/." >&2
@@ -286,16 +270,7 @@ jobs:
           fi
 
           sha256sum "${files[@]}" "${sboms[@]}" > dist/SHA256SUMS
-
           minisign -S -s out/minisign.key -m dist/SHA256SUMS
-          gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \
-            --local-user "$key_id" --armor --detach-sign -o dist/SHA256SUMS.asc dist/SHA256SUMS
-
-          for f in "${files[@]}"; do
-            minisign -S -s out/minisign.key -m "$f"
-            gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \
-              --local-user "$key_id" --armor --detach-sign -o "$f.asc" "$f"
-          done
 
       - name: Publish GitHub Release
         uses: softprops/action-gh-release@v2
@@ -317,8 +292,8 @@ jobs:
             
           files: |
             dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz
-            dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz
             dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.minisig
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz
             dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.minisig
             dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.asc
             dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.asc
