chore: restructure release signatures into subdirectory

Moves GPG signatures and keys into a signatures/ subdirectory before packing into signatures.tar.gz, preventing glob collisions.
2026-03-26 02:11:53 +00:00 · 2026-03-08 21:42:10 -06:00
parent f56262b845
commit 36bf55c133
1 changed files with 12 additions and 9 deletions
--- a/build/manage-release.sh
+++ b/build/manage-release.sh
@@ -198,20 +198,22 @@ cmd_sign() {
    enter_release_dir
    resolve_gh_user

+    mkdir -p signatures
+
    for file in $(release_files); do
-        gpg -u $START9_GPG_KEY --detach-sign --armor -o "${file}.start9.asc" "$file"
+        gpg -u $START9_GPG_KEY --detach-sign --armor -o "signatures/${file}.start9.asc" "$file"
        if [ -n "$GH_USER" ] && [ -n "$GH_GPG_KEY" ]; then
-            gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "${file}.${GH_USER}.asc" "$file"
+            gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "signatures/${file}.${GH_USER}.asc" "$file"
        fi
    done

-    gpg --export -a $START9_GPG_KEY > start9.key.asc
+    gpg --export -a $START9_GPG_KEY > signatures/start9.key.asc
    if [ -n "$GH_USER" ] && [ -n "$GH_GPG_KEY" ]; then
-        gpg --export -a "$GH_GPG_KEY" > "${GH_USER}.key.asc"
+        gpg --export -a "$GH_GPG_KEY" > "signatures/${GH_USER}.key.asc"
    else
        >&2 echo 'Warning: could not determine GitHub user or GPG signing key, skipping personal signature'
    fi
-    tar -czvf signatures.tar.gz *.asc
+    tar -czvf signatures.tar.gz -C signatures .

    gh release upload -R $REPO "v$VERSION" signatures.tar.gz --clobber
 }
@@ -229,17 +231,18 @@ cmd_cosign() {

    echo "Downloading existing signatures..."
    gh release download -R $REPO "v$VERSION" -p "signatures.tar.gz" -D "$(pwd)" --clobber
-    tar -xzf signatures.tar.gz
+    mkdir -p signatures
+    tar -xzf signatures.tar.gz -C signatures

    echo "Adding personal signatures as $GH_USER..."
    for file in $(release_files); do
-        gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "${file}.${GH_USER}.asc" "$file"
+        gpg -u "$GH_GPG_KEY" --detach-sign --armor -o "signatures/${file}.${GH_USER}.asc" "$file"
    done

-    gpg --export -a "$GH_GPG_KEY" > "${GH_USER}.key.asc"
+    gpg --export -a "$GH_GPG_KEY" > "signatures/${GH_USER}.key.asc"

    echo "Re-packing signatures..."
-    tar -czvf signatures.tar.gz *.asc
+    tar -czvf signatures.tar.gz -C signatures .

    gh release upload -R $REPO "v$VERSION" signatures.tar.gz --clobber
    echo "Done. Personal signatures for $GH_USER added to v$VERSION."