From 4c40f57455cea45f43abe6dc81fc8b6c6d975525 Mon Sep 17 00:00:00 2001 From: Mitsuba100 Date: Tue, 14 Apr 2026 21:21:14 +0200 Subject: [PATCH] Update .github/workflows/update-repo.yml --- .github/workflows/update-repo.yml | 97 +++++++------------------------ 1 file changed, 21 insertions(+), 76 deletions(-) diff --git a/.github/workflows/update-repo.yml b/.github/workflows/update-repo.yml index d1dc7a6..2101615 100644 --- a/.github/workflows/update-repo.yml +++ b/.github/workflows/update-repo.yml @@ -1,4 +1,4 @@ -name: Update Arch Repository (Host stui) +name: Update Arch Repository (Binary Sigs) on: push: @@ -14,10 +14,6 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - - name: Ensure Tools - run: | - sudo apt-get update && sudo apt-get install -y libarchive-tools gpg - - name: Import GPG Key run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import --yes @@ -25,102 +21,51 @@ jobs: - name: Build and Sign Repository run: | cd x86_64 - # Clean up old database files rm -f hyprarch-repo.db* hyprarch-repo.files* mkdir -p db_temp - # Export Public Key for the landing page link + # We still use --armor for the public key (that's for humans) gpg --export --armor 236328A7F2C2001E > pubkey.gpg for pkg in *.pkg.tar.zst; do - # 1. Generate detached signature file (.sig) - echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor "$pkg" + # 1. Create BINARY detached signature (REMOVED --armor) + echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --output "$pkg.sig" "$pkg" - # 2. Extract Metadata for DB - pkgname=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgname =" | cut -d' ' -f3) - pkgver=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgver =" | cut -d' ' -f3) - pkgdesc=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgdesc =" | cut -d' ' -f3- | sed "s/['\"]//g") + # 2. Extract Metadata + pkgname=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgname =" | cut -d' ' -f3 | tr -d '\r') + pkgver=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgver =" | cut -d' ' -f3 | tr -d '\r') + pkgdesc=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^pkgdesc =" | cut -d' ' -f3- | sed "s/['\"]//g" | tr -d '\r') pkgsize=$(stat -c%s "$pkg") - instsize=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^size =" | cut -d' ' -f3) + instsize=$(bsdtar -xOf "$pkg" .PKGINFO | grep "^size =" | cut -d' ' -f3 | tr -d '\r') mkdir -p "db_temp/$pkgname-$pkgver" - # 3. Create the 'desc' file (The heart of the .db) + # 3. Build 'desc' with internal PGP SIG (Base64 of the binary sig) { - echo "%NAME%" - echo "$pkgname" - echo "" - echo "%VERSION%" - echo "$pkgver" - echo "" - echo "%DESC%" - echo "$pkgdesc" - echo "" - echo "%FILENAME%" - echo "$pkg" - echo "" - echo "%CSIZE%" - echo "$pkgsize" - echo "" - echo "%ISIZE%" - echo "$instsize" - echo "" + echo "%NAME%"; echo "$pkgname"; echo "" + echo "%VERSION%"; echo "$pkgver"; echo "" + echo "%DESC%"; echo "$pkgdesc"; echo "" + echo "%FILENAME%"; echo "$pkg"; echo "" + echo "%CSIZE%"; echo "$pkgsize"; echo "" + echo "%ISIZE%"; echo "$instsize"; echo "" echo "%PGPSIG%" - # Pipe the signature directly into the DB as a base64 string - echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor --output - "$pkg" | base64 | tr -d '\n' + base64 -w 0 "$pkg.sig" echo "" echo "" } > "db_temp/$pkgname-$pkgver/desc" done - # 4. Bundle everything into the .db file + # 4. Pack and Sign DB (Signatures here should also be binary) cd db_temp - tar -c * | gzip -9 > ../hyprarch-repo.db.tar.gz + tar --owner=0 --group=0 -c * | gzip -n -9 > ../hyprarch-repo.db.tar.gz cd .. - - # 5. Sign the database itself - echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --no-armor hyprarch-repo.db.tar.gz - - # 6. Finalize symlinks/copies cp hyprarch-repo.db.tar.gz hyprarch-repo.db - cp hyprarch-repo.db.tar.gz.sig hyprarch-repo.db.sig cp hyprarch-repo.db.tar.gz hyprarch-repo.files + echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --local-user 236328A7F2C2001E --passphrase-fd 0 --detach-sign --output hyprarch-repo.db.sig hyprarch-repo.db rm -rf db_temp - - name: Generate Landing Page + - name: Deploy run: | - cat < index.html - - - - HyprArch Repo - - - -
-

🚀 HyprArch Pi Repository

-

Trust Key:

- 
curl -s https://repo.stuple.net/x86_64/pubkey.gpg | sudo pacman-key -a - && sudo pacman-key --lsign-key 236328A7F2C2001E
-

Add to /etc/pacman.conf:

- 
[hyprarch-repo]
-          SigLevel = Required DatabaseOptional
-          Server = https://repo.stuple.net/\$arch
-
-

📂 Browse File Index

-
- - - EOF - - - name: Deploy to Local Web Folder - run: | - # Use sudo (configured in visudo previously) to move to Nginx root sudo mkdir -p /var/www/hyprarch-repo/x86_64 sudo cp -rf . /var/www/hyprarch-repo/ sudo chown -R www-data:www-data /var/www/hyprarch-repo