release: validate linux signatures

Upload GCM's public key as a release asset. Add instructions for users to
import this key and use it to validate the latest Debian package and tarball.

.github/workflows/release.yml

@@ -582,6 +582,9 @@ jobs:
   create-github-release:
     name: Publish GitHub draft release
     runs-on: ubuntu-latest
+    env:
+      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
     environment: release
     needs: [ prereqs, validate ]
     steps:
@@ -613,6 +616,20 @@ jobs:
           zip -jr win-x86-payload-and-symbols/gcm-win-x86-$version.zip windows-artifacts/payload
           zip -jr win-x86-payload-and-symbols/gcm-win-x86-$version-symbols.zip windows-artifacts/symbols
 
+      - name: Log into Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Download GPG public key signature file
+        run: |
+          az keyvault secret show --name "$GPG_PUBLIC_KEY_SECRET_NAME" \
+            --vault-name "$AZURE_VAULT" --query "value" \
+            | sed -e 's/^"//' -e 's/"$//' | base64 -d >gcm-public.asc
+          mv gcm-public.asc linux-artifacts
+
       - uses: actions/github-script@v6
         with:
           script: |

docs/install.md

@@ -72,7 +72,7 @@ installation method.
 
 #### Install
 
-Download the latest [.deb package][latest-release], and run the following:
+Download the latest [.deb package][latest-release]*, and run the following:
 
 ```shell
 sudo dpkg -i <path-to-package>
@@ -86,13 +86,16 @@ git-credential-manager unconfigure
 sudo dpkg -r gcm
 ```
 
+*If you'd like to validate the package's signature after downloading, check out
+the instructions [here][linux-validate-gpg-debian].
+
 ---
 
 ### Tarball
 
 #### Install
 
-Download the latest [tarball][latest-release], and run the following:
+Download the latest [tarball][latest-release]*, and run the following:
 
 ```shell
 tar -xvf <path-to-tarball> -C /usr/local/bin
@@ -106,6 +109,9 @@ git-credential-manager unconfigure
 rm $(command -v git-credential-manager)
 ```
 
+*If you would like to validate the tarball's signature after downloading, check
+out the instructions [here][linux-validate-gpg-tarball].
+
 ---
 
 ### Install from source helper script
@@ -238,4 +244,6 @@ dotnet tool uninstall -g git-credential-manager
 [git-for-windows-screenshot]: https://user-images.githubusercontent.com/5658207/140082529-1ac133c1-0922-4a24-af03-067e27b3988b.png
 [latest-release]: https://github.com/git-ecosystem/git-credential-manager/releases/latest
 [linux-uninstall]: linux-fromsrc-uninstall.md
+[linux-validate-gpg-debian]: ./linux-validate-gpg.md#debian-package
+[linux-validate-gpg-tarball]: ./linux-validate-gpg.md#tarball
 [ms-wsl]: https://aka.ms/wsl#

docs/linux-validate-gpg.md

@@ -0,0 +1,85 @@
+# Validating GCM's GPG signature
+
+Follow the below instructions to import GCM's public key and use it to validate
+the latest Debian package and/or tarball signature.
+
+## Debian package
+
+```shell
+# Install needed packages
+apt-get install -y curl debsig-verify
+
+# Download public key signature file
+curl -s https://api.github.com/repos/git-ecosystem/git-credential-manager/releases/latest \
+| grep -E 'browser_download_url.*gcm-public.asc' \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -L -o gcm-public.asc 'url'
+
+# De-armor public key signature file
+gpg --output gcm-public.gpg --dearmor gcm-public.asc
+
+# Note that the fingerprint of this key is "3C853823978B07FA", which you can
+# determine by running:
+gpg --show-keys gcm-public.asc | head -n 2 | tail -n 1 | tail -c 17
+
+# Copy de-armored public key to debsig keyring folder
+mkdir /usr/share/debsig/keyrings/3C853823978B07FA
+mv gcm-public.gpg /usr/share/debsig/keyrings/3C853823978B07FA/
+
+# Create an appropriate policy file
+mkdir /etc/debsig/policies/3C853823978B07FA
+cat > /etc/debsig/policies/3C853823978B07FA/generic.pol << EOL
+<?xml version="1.0"?>
+<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
+<Policy xmlns="https://www.debian.org/debsig/1.0/">
+
+  <Origin Name="Git Credential Manager" id="3C853823978B07FA" Description="Git Credential Manager public key"/>
+
+  <Selection>
+    <Required Type="origin" File="gcm-public.gpg" id="3C853823978B07FA"/>
+  </Selection>
+
+  <Verification MinOptional="0">
+    <Required Type="origin" File="gcm-public.gpg" id="3C853823978B07FA"/>
+  </Verification>
+
+</Policy>
+EOL
+
+# Download Debian package
+curl -s https://api.github.com/repos/git-ecosystem/git-credential-manager/releases/latest \
+| grep "browser_download_url.*deb" \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -L -o gcm.deb 'url'
+
+# Verify
+debsig-verify gcm.deb
+```
+
+## Tarball
+```shell
+# Download the public key signature file
+curl -s https://api.github.com/repos/git-ecosystem/git-credential-manager/releases/latest \
+| grep -E 'browser_download_url.*gcm-public.asc' \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -L -o gcm-public.asc 'url'
+
+# Import the public key
+gpg --import gcm-public.asc
+
+# Download the tarball and its signature file
+curl -s https://api.github.com/repos/ldennington/git-credential-manager/releases/latest \
+| grep -E 'browser_download_url.*gcm-linux.*[0-9].[0-9].[0-9].tar.gz' \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs -I 'url' curl -LO 'url'
+
+# Trust the public key
+echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key 3C853823978B07FA trust
+
+# Verify the signature
+gpg --verify gcm-linux_amd64*.tar.gz.asc gcm-linux*.tar.gz
+```