From ad3f1d8356b2013f1b4eb47c7f7314ea6580b256 Mon Sep 17 00:00:00 2001
From: James Magahern <james@magahern.com>
Date: Mon, 15 Jun 2026 09:17:30 -0700
Subject: [PATCH] Sign RPM package uploads

---
 .gitea/scripts/upload-rpm-packages.sh | 57 ++++++++++++++++++++-------
 core/Cargo.lock                       |  2 +-
 core/kordophoned/Cargo.toml           |  2 +-
 gtk/dist/rpm/kordophone.spec          |  2 +-
 gtk/meson.build                       |  2 +-
 5 files changed, 47 insertions(+), 18 deletions(-)

diff --git a/.gitea/scripts/upload-rpm-packages.sh b/.gitea/scripts/upload-rpm-packages.sh
index 4920c4b..41b01ca 100755
--- a/.gitea/scripts/upload-rpm-packages.sh
+++ b/.gitea/scripts/upload-rpm-packages.sh
@@ -1,13 +1,18 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-: "${GITEA_SERVER_URL:?Missing GITEA_SERVER_URL}"
-: "${GITEA_REPOSITORY_OWNER:?Missing GITEA_REPOSITORY_OWNER}"
+server_url="${GITEA_SERVER_URL:-${GITHUB_SERVER_URL:-}}"
+owner="${GITEA_REPOSITORY_OWNER:-${GITHUB_REPOSITORY_OWNER:-}}"
+if [[ -z "$owner" && -n "${GITHUB_REPOSITORY:-}" && "$GITHUB_REPOSITORY" == */* ]]; then
+  owner="${GITHUB_REPOSITORY%%/*}"
+fi
+
+: "${server_url:?Missing GITEA_SERVER_URL}"
+: "${owner:?Missing GITEA_REPOSITORY_OWNER}"
 : "${RELEASE_ASSETS_DIR:?Missing RELEASE_ASSETS_DIR}"
 
-owner="${GITEA_REPOSITORY_OWNER}"
-package_user="${RPM_PACKAGE_USERNAME:-${GITEA_REPOSITORY_OWNER}}"
-token="${RPM_PACKAGE_TOKEN:-}"
+package_user="${RPM_PACKAGE_USERNAME:-$owner}"
+token="${RPM_PACKAGE_TOKEN:-${GITEA_TOKEN:-}}"
 group="${RPM_PACKAGE_GROUP:-}"
 
 if [[ -z "$package_user" ]]; then
@@ -16,15 +21,19 @@ if [[ -z "$package_user" ]]; then
 fi
 
 if [[ -z "$token" ]]; then
-  echo "Missing package upload token. Set repository or organization secret RPM_PACKAGE_TOKEN." >&2
+  echo "Missing package upload token. Set RPM_PACKAGE_TOKEN or GITEA_TOKEN as a repository secret." >&2
   exit 1
 fi
 
-upload_url="${GITEA_SERVER_URL%/}/api/packages/${owner}/rpm"
+upload_url="${server_url%/}/api/packages/${owner}/rpm"
 if [[ -n "$group" ]]; then
   upload_url="${upload_url}/${group}"
 fi
 upload_url="${upload_url}/upload"
+upload_url="${upload_url}?sign=true"
+
+response_file="$(mktemp)"
+trap 'rm -f "$response_file"' EXIT
 
 shopt -s nullglob
 found_rpm=0
@@ -36,12 +45,18 @@ for rpm in "$RELEASE_ASSETS_DIR"/*.rpm; do
   esac
 
   found_rpm=1
-  http_code="$(curl --silent --show-error \
-    --write-out '%{http_code}' \
-    --output /tmp/package-upload-response \
-    --user "${package_user}:${token}" \
-    --upload-file "$rpm" \
-    "$upload_url")"
+  package_name="$(rpm -qp --queryformat '%{NAME}' "$rpm")"
+  package_version="$(rpm -qp --queryformat '%{VERSION}-%{RELEASE}' "$rpm")"
+  package_arch="$(rpm -qp --queryformat '%{ARCH}' "$rpm")"
+
+  http_code="$(
+    curl --silent --show-error \
+      --write-out '%{http_code}' \
+      --output "$response_file" \
+      --user "${package_user}:${token}" \
+      --upload-file "$rpm" \
+      "$upload_url"
+  )"
 
   case "$http_code" in
     201)
@@ -52,10 +67,24 @@ for rpm in "$RELEASE_ASSETS_DIR"/*.rpm; do
       ;;
     *)
       echo "Failed to upload $(basename "$rpm") to $upload_url (HTTP $http_code)." >&2
-      cat /tmp/package-upload-response >&2 || true
+      cat "$response_file" >&2 || true
       exit 1
       ;;
   esac
+
+  package_url="${server_url%/}/api/packages/${owner}/rpm"
+  if [[ -n "$group" ]]; then
+    package_url="${package_url}/${group}"
+  fi
+  package_url="${package_url}/package/${package_name}/${package_version}/${package_arch}/${package_name}-${package_version}.${package_arch}.rpm"
+
+  signed_rpm="$(mktemp --suffix=.rpm)"
+  curl --silent --show-error --fail \
+    --user "${package_user}:${token}" \
+    --output "$signed_rpm" \
+    "$package_url"
+  mv "$signed_rpm" "$rpm"
+  rpm -Kv "$rpm" || true
 done
 shopt -u nullglob
 
diff --git a/core/Cargo.lock b/core/Cargo.lock
index ae2fc5a..3b5250d 100644
--- a/core/Cargo.lock
+++ b/core/Cargo.lock
@@ -1274,7 +1274,7 @@ dependencies = [
 
 [[package]]
 name = "kordophoned"
-version = "1.3.3"
+version = "1.3.6"
 dependencies = [
  "anyhow",
  "async-trait",
diff --git a/core/kordophoned/Cargo.toml b/core/kordophoned/Cargo.toml
index d3054dc..9441b6c 100644
--- a/core/kordophoned/Cargo.toml
+++ b/core/kordophoned/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "kordophoned"
-version = "1.3.5"
+version = "1.3.6"
 edition = "2021"
 license = "GPL-3.0"
 description = "Client daemon for the Kordophone chat protocol"
diff --git a/gtk/dist/rpm/kordophone.spec b/gtk/dist/rpm/kordophone.spec
index 1d9a9c0..5762c7f 100644
--- a/gtk/dist/rpm/kordophone.spec
+++ b/gtk/dist/rpm/kordophone.spec
@@ -1,5 +1,5 @@
 Name:           kordophone
-Version:        %{?app_version}%{!?app_version:1.4.5}
+Version:        %{?app_version}%{!?app_version:1.4.6}
 Release:        1%{?dist}
 Summary:        GTK4/Libadwaita client for Kordophone
 
diff --git a/gtk/meson.build b/gtk/meson.build
index 353f417..d1ddd08 100644
--- a/gtk/meson.build
+++ b/gtk/meson.build
@@ -1,5 +1,5 @@
 project('kordophone', 'vala',
-    version : '1.4.5',
+    version : '1.4.6',
     meson_version : '>=0.56.0',
     default_options : ['warning_level=2']
 )