Merge 3f560fd29a into c407e2ff84

Add logs
Remove the tag from the attestation, what we attest is the hash, so no need for it
2025-05-18 03:01:50 +02:00 · 2025-01-20 15:07:49 +00:00 · 2025-01-20 16:02:18 +01:00 · 2025-01-20 15:25:51 +01:00 · 2025-01-20 15:16:13 +01:00 · 2025-01-20 14:46:51 +01:00
3 changed files with 38 additions and 11 deletions
--- a/.github/workflows/check_repos.yml
+++ b/.github/workflows/check_repos.yml
@ -46,21 +46,30 @@ jobs:
          apt update
          apt-get install python-all -y

-      - name: Add GPG key for the packages.freedom.press
+      - name: Add packages.freedom.press PGP key (gpg)
+        if: matrix.version != 'trixie'
        run: |
          apt-get update && apt-get install -y gnupg2 ca-certificates
          dirmngr  # NOTE: This is a command that's necessary only in containers
+          # The key needs to be in the GPG keybox database format so the
+          # signing subkey is detected by apt-secure.
          gpg --keyserver hkps://keys.openpgp.org \
              --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
              --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
-
-          # Export the GPG key in armor mode because sequoia needs it this way
-          # (sqv is used on debian trixie by default to check the keys)
          mkdir -p /etc/apt/keyrings/
-          gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-              --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-              > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+          mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.

+      - name: Add packages.freedom.press PGP key (sq)
+        if: matrix.version == 'trixie'
+        run: |
+          apt-get update && apt-get install -y ca-certificates sq
+          mkdir -p /etc/apt/keyrings/
+          # On debian trixie, apt-secure uses `sqv` to verify the signatures
+          # so we need to retrieve PGP keys and store them using the base64 format.
+          sq network keyserver \
+             --server hkps://keys.openpgp.org \
+             search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
+             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
      - name: Add packages.freedom.press to our APT sources
        run: |
          . /etc/os-release
--- a/.github/workflows/release-container-image.yml
+++ b/.github/workflows/release-container-image.yml
@ -27,6 +27,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check it's working
+        run: |
+          git describe --long --first-parent
+
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
@ -44,7 +50,8 @@ jobs:
          # Load the image with the final name directly
          gunzip -c share/container.tar.gz | podman load
          FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
-          podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME"
+          TAG=$(git describe --long --first-parent | tail -c +2)
+          podman tag dangerzone.rocks/dangerzone:$TAG "$FINAL_IMAGE_NAME"
          podman push "$FINAL_IMAGE_NAME" --digestfile=digest
          echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT"

--- a/INSTALL.md
+++ b/INSTALL.md
@ -84,9 +84,20 @@ Dangerzone is available for:
  </tr>
 </table>

-Add our repository following these instructions:
+First, retrieve the PGP keys.

-Download the GPG key for the repo:
+Starting with Trixie, follow these instructions to download the PGP keys:
+
+```bash
+sudo apt-get update && sudo apt-get install sq -y
+mkdir -p /etc/apt/keyrings/
+sq network keyserver \
+   --server hkps://keys.openpgp.org \
+   search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
+   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+```
+
+On other Debian-derivatives:

 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
@ -99,7 +110,7 @@ sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```

-Add the URL of the repo in your APT sources:
+Then, on all distributions, add the URL of the repo in your APT sources:

 ```sh
 . /etc/os-release
Author	SHA1	Message	Date
Alexis Métaireau	0e817902da	Merge `3f560fd29a` into `c407e2ff84`	2025-01-20 15:07:49 +00:00
Alexis Métaireau	3f560fd29a	Add logs Some checks failed Tests / Download and cache Tesseract data (push) Has been cancelled Details Release container image / build-container-image (push) Has been cancelled Details Tests / windows (push) Has been cancelled Details Tests / macOS (arch64) (push) Has been cancelled Details Tests / macOS (x86_64) (push) Has been cancelled Details Tests / build-deb (debian bookworm) (push) Has been cancelled Details Tests / build-deb (debian bullseye) (push) Has been cancelled Details Tests / build-deb (debian trixie) (push) Has been cancelled Details Tests / build-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / build-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / install-deb (debian bookworm) (push) Has been cancelled Details Tests / install-deb (debian bullseye) (push) Has been cancelled Details Tests / install-deb (debian trixie) (push) Has been cancelled Details Tests / install-deb (ubuntu 20.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 22.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.04) (push) Has been cancelled Details Tests / install-deb (ubuntu 24.10) (push) Has been cancelled Details Tests / build-install-rpm (fedora 40) (push) Has been cancelled Details Tests / build-install-rpm (fedora 41) (push) Has been cancelled Details Tests / run tests (debian bookworm) (push) Has been cancelled Details Tests / run tests (debian bullseye) (push) Has been cancelled Details Tests / run tests (ubuntu 22.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.04) (push) Has been cancelled Details Tests / run tests (ubuntu 24.10) (push) Has been cancelled Details Tests / run tests (debian trixie) (push) Has been cancelled Details Tests / run tests (fedora 40) (push) Has been cancelled Details Tests / run tests (fedora 41) (push) Has been cancelled Details Tests / run tests (ubuntu 20.04) (push) Has been cancelled Details	2025-01-20 16:02:18 +01:00
Alexis Métaireau	02fb6c07a4	Remove the tag from the attestation, what we attest is the hash, so no need for it	2025-01-20 15:25:51 +01:00
Alexis Métaireau	74f4fbbbde	Add the tag to the subject	2025-01-20 15:16:13 +01:00
Alexis Métaireau	033e8fef88	Get the tag from git before retagging it	2025-01-20 14:46:51 +01:00
Alexis Métaireau	1ec51c7b4c	Checkout with depth:0 otherwise git commands aren't functional	2025-01-20 14:25:26 +01:00
Alexis Métaireau	93b95dbb59	Build: Use Github runners to build and sign container images on new tags	2025-01-20 14:14:54 +01:00
Alexis Métaireau	c407e2ff84	doc: update Debian Trixie installation instructions Some checks are pending Tests / windows (push) Blocked by required conditions Details Tests / macOS (arch64) (push) Blocked by required conditions Details Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / run tests (fedora 40) (push) Blocked by required conditions Details Tests / run tests (fedora 41) (push) Blocked by required conditions Details Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Scan latest app and container / security-scan-container (push) Waiting to run Details Scan latest app and container / security-scan-app (push) Waiting to run Details Starting with Debian Trixie, `apt secure` relies on `sqv` to do its verification, which doesn't support the GPG keybox database format. At the same time, using the standard PGP base64 format makes the verification fail for versions of `apt secure` which relies on `gpg`, as the subkey isn't detected there. Fixes #1055	2025-01-20 14:10:15 +01:00