fix: explicitly trust our own GPG key (#23556)

GPG emits an "untrusted key" warning when signing with a key that hasn't been assigned a trust level, which can cause verification steps to fail or produce noisy output. Example: ```sh gpg: Signature made Tue Mar 24 20:56:59 2026 UTC gpg: using RSA key 21C96B1CB950718874F64DBD6A5A671B5E40A3B9 gpg: Good signature from "Coder Release Signing Key <security@coder.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 21C9 6B1C B950 7188 74F6 4DBD 6A5A 671B 5E40 A3B9 ``` After importing the release key, derive its fingerprint from the keyring and mark it as ultimately trusted via `--import-ownertrust`. The fingerprint is extracted dynamically rather than hard-coded, so this works for any key supplied via `CODER_GPG_RELEASE_KEY_BASE64`.
2026-06-02 20:48:20 +00:00 · 2026-03-25 10:24:31 +01:00
parent 0cea4de69e
commit 6bc6e2baa6
1 changed files with 7 additions and 0 deletions
@@ -34,6 +34,13 @@ export GNUPGHOME="$gnupg_home_temp"
 # Ensure GPG uses the temporary directory
 echo "$CODER_GPG_RELEASE_KEY_BASE64" | base64 -d | gpg --homedir "$gnupg_home_temp" --import 1>&2

+# Mark the imported key as ultimately trusted so GPG does not emit an
+# "untrusted key" warning during signature verification. We derive the
+# fingerprint from the keyring rather than hard-coding it so this works
+# regardless of which key is supplied.
+fingerprint="$(gpg --homedir "$gnupg_home_temp" --with-colons --fingerprint | awk -F: '/^fpr/ { print $10; exit }')"
+echo "${fingerprint}:6:" | gpg --homedir "$gnupg_home_temp" --import-ownertrust 1>&2
+
 # Sign the binary. This generates a file in the same directory and
 # with the same name as the binary but ending in ".asc".
 #