Merge pull request #23 from dtolnay/nogpg

Delete gpg-based verification in favor of attestations
2025-01-31 07:01:20 +01:00 · 2025-01-26 13:50:39 -08:00 · 2025-01-26 13:50:39 -08:00 · 76a2a388a3
commit 76a2a388a3
parent 4988755830 9159632372
1 changed files with 0 additions and 9 deletions
--- a/action.yml
+++ b/action.yml
@ -24,15 +24,6 @@ runs:
    - name: Download ${{steps.inputs.outputs.bin}}
      run: curl --output ${{steps.cargo.outputs.dir}}/${{steps.inputs.outputs.bin}} https://github.com/dtolnay/install/releases/download/${{steps.inputs.outputs.crate}}/${{steps.inputs.outputs.bin}} --location --silent --show-error --fail --retry 5
      shell: bash
    - name: Download ${{steps.inputs.outputs.bin}}.sig
      run: curl --output ${{runner.temp}}/${{steps.inputs.outputs.bin}}.sig https://github.com/dtolnay/install/releases/download/${{steps.inputs.outputs.crate}}/${{steps.inputs.outputs.bin}}.sig --location --silent --show-error --fail --retry 5
      shell: bash
    - name: Retrieve public key of signing key
      run: gpg --output ${{runner.temp}}/signing-key.gpg --yes --dearmor ${{github.action_path}}/signing-key.asc
      shell: bash
    - name: Verify gpg signature
      run: gpg --no-default-keyring --keyring ${{runner.temp}}/signing-key.gpg --trusted-key 830334D6A6010C41 --verify ${{runner.temp}}/${{steps.inputs.outputs.bin}}.sig ${{steps.cargo.outputs.dir}}/${{steps.inputs.outputs.bin}}
      shell: bash
    - name: Verify artifact attestation
      run: gh attestation verify --owner dtolnay ${{steps.cargo.outputs.dir}}/${{steps.inputs.outputs.bin}}
      env: