@@ -210,6 +210,70 @@ jobs:
210210 path : ${{ github.workspace }}\smctl-signing.log
211211 if-no-files-found : ignore
212212
213+ sign-releases :
214+ name : sign release artifacts
215+ runs-on : ubuntu-latest
216+ needs : [build, sign-windows]
217+ steps :
218+ - name : download all build artifacts
219+ uses : actions/download-artifact@v4
220+ with :
221+ path : artifacts
222+ merge-multiple : true
223+
224+ - name : download signed windows artifact
225+ uses : actions/download-artifact@v4
226+ with :
227+ name : ant-x86_64-pc-windows-msvc-signed
228+ path : artifacts-signed-win
229+
230+ - name : replace windows archive with signed version
231+ run : |
232+ rm -f artifacts/ant-*-x86_64-pc-windows-msvc.zip
233+ cp artifacts-signed-win/*.zip artifacts/
234+
235+ name : download ant-keygen
236+ run : |
237+ gh release download --repo WithAutonomi/ant-keygen --pattern 'ant-keygen-linux-x64.tar.gz' --dir /tmp
238+ tar -xzf /tmp/ant-keygen-linux-x64.tar.gz -C /tmp
239+ chmod +x /tmp/ant-keygen
240+ env :
241+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
242+
243+ - name : decode signing key
244+ run : |
245+ echo "${{ secrets.ANT_SIGNING_KEY }}" | xxd -r -p > /tmp/signing-key.secret
246+ chmod 600 /tmp/signing-key.secret
247+
248+ name : sign all release files
249+ run : |
250+ for file in artifacts/ant-*.tar.gz artifacts/ant-*.zip; do
251+ if [ -f "$file" ]; then
252+ echo "Signing $file..."
253+ /tmp/ant-keygen sign \
254+ --key /tmp/signing-key.secret \
255+ --input "$file" \
256+ --output "${file}.sig" \
257+ --context "ant-release-v1"
258+ fi
259+ done
260+
261+ name : clean up signing key
262+ if : always()
263+ run : rm -f /tmp/signing-key.secret
264+
265+ - name : generate checksums
266+ run : |
267+ cd artifacts
268+ sha256sum ant-* 2>/dev/null > SHA256SUMS.txt || true
269+ cat SHA256SUMS.txt
270+
271+ uses : actions/upload-artifact@v4
272+ with :
273+ name : signed-releases
274+ path : artifacts/*
275+ retention-days : 1
276+
213277 publish-crate :
214278 name : publish ant-core to crates.io
215279 runs-on : ubuntu-latest
@@ -228,8 +292,7 @@ jobs:
228292 release :
229293 name : create github release
230294 runs-on : ubuntu-latest
231- needs : [build, sign-windows]
232- if : ${{ !cancelled() && needs.build.result == 'success' && needs.sign-windows.result == 'success' }}
295+ needs : [sign-releases]
233296 steps :
234297 - uses : actions/checkout@v4
235298
@@ -249,23 +312,7 @@ jobs:
249312
250313uses : actions/download-artifact@v4
251314 with :
252- name : ant-x86_64-unknown-linux-musl
253- path : assets/
254- - uses : actions/download-artifact@v4
255- with :
256- name : ant-aarch64-unknown-linux-musl
257- path : assets/
258- - uses : actions/download-artifact@v4
259- with :
260- name : ant-x86_64-apple-darwin
261- path : assets/
262- - uses : actions/download-artifact@v4
263- with :
264- name : ant-aarch64-apple-darwin
265- path : assets/
266- - uses : actions/download-artifact@v4
267- with :
268- name : ant-x86_64-pc-windows-msvc-signed
315+ name : signed-releases
269316 path : assets/
270317
271318 - name : extract changelog entry
@@ -306,6 +353,18 @@ jobs:
306353 | macOS | `~/Library/Application Support/ant/bootstrap_peers.toml` |
307354 | Windows | `%APPDATA%\ant\bootstrap_peers.toml` |
308355
356+ ## Verification
357+
358+ All release archives are signed with ML-DSA-65 (FIPS 204) post-quantum signatures.
359+ Download `ant-keygen` from [WithAutonomi/ant-keygen](https://github.com/WithAutonomi/ant-keygen/releases)
360+ and verify:
361+
362+ ```bash
363+ ant-keygen verify --key release-signing-key.pub --input <file> --signature <file>.sig --context ant-release-v1
364+ ```
365+
366+ SHA256 checksums provided in `SHA256SUMS.txt`.
367+
309368 HEADER
310369
311370 echo "## Detailed Changes" >> /tmp/release_body.md
@@ -326,4 +385,7 @@ jobs:
326385 --title "ant ${{ steps.meta.outputs.version }}" \
327386 --notes-file /tmp/release_body.md \
328387 $prerelease_flag \
329- assets/*
388+ assets/*.tar.gz \
389+ assets/*.zip \
390+ assets/*.sig \
391+ assets/SHA256SUMS.txt
0 commit comments