Sign releases again

The new automation workflow doesn't sign the Git tag or the tarball as
we used to.  Since the tag is still created locally, sign it directly.

For signing the tarball; build it locally and compare the extracted
tarball with the one produced by GitHub.

Closes #11996

.github/workflows/release.yml

@@ -52,7 +52,10 @@ jobs:
           # Need history since the last release (i.e. tag) for stats.
           git fetch --tags
           git fetch --unshallow
-          sh -x ./build_tools/release-notes.sh >"$relnotes"
+          gpg_public_key_url=https://github.com/${{ github.actor }}.gpg
+          curl -sS "$gpg_public_key_url" | grep 'PGP PUBLIC KEY BLOCK' -A5
+          FISH_GPG_PUBLIC_KEY_URL=$gpg_public_key_url \
+            sh -x ./build_tools/release-notes.sh >"$relnotes"
           # Delete title
           sed -n 1p "$relnotes" | grep -q "^## fish .*"
           sed -n 2p "$relnotes" | grep -q '^$'

CHANGELOG.rst

@@ -29,6 +29,7 @@ Other improvements
 
 For distributors and developers
 -------------------------------
+- Release tags and source code tarballs are GPG-signed again  (:issue:`11996`).
 - Release tarballs are built with the latest release of Sphinx,
   which means that pre-built man pages include :ref:`OSC 8 hyperlinks <term-compat-osc-8>`.
 - The Sphinx dependency is now specified in ``pyproject.toml``,

README.rst

@@ -178,7 +178,7 @@ Fish will then read these right from its own binary, and print them out when nee
 To install fish with embedded files, just use ``cargo``, like::
 
    cargo install --path /path/to/fish # if you have a git clone
-   cargo install --git https://github.com/fish-shell/fish-shell --tag "$(curl -s https://api.github.com/repos/fish-shell/fish-shell/releases/latest | jq -r .tag_name)" # to build the latest release
+   cargo install --git https://github.com/fish-shell/fish-shell --tag "$(curl -sS https://api.github.com/repos/fish-shell/fish-shell/releases/latest | jq -r .tag_name)" # to build the latest release
    cargo install --git https://github.com/fish-shell/fish-shell # to build the latest development snapshot
 
 This will place the standalone binaries in ``~/.cargo/bin/``, but you can place them wherever you want.

build_tools/release-notes.sh

@@ -79,9 +79,12 @@ if test -z "$CI" || git -C "$workspace_root" tag | grep -q .; then {
     echo
     echo "---"
     echo
-    echo "*Download links: To download the source code for fish, we suggest the file named \"fish-$version.tar.xz\". The file downloaded from \"Source code (tar.gz)\" will not build correctly.*"
+    echo 'Download links:'
+    echo 'To download the source code for fish, we suggest the file named ``fish-'"$version"'.tar.xz``.'
+    echo 'The file downloaded from ``Source code (tar.gz)`` will not build correctly.'
+    echo 'A GPG signature using the key published at '"${FISH_GPG_PUBLIC_KEY_URL:-???}"' is available as ``fish-'"$version"'.tar.xz.asc``.'
     echo
-    echo "*The files called fish-$version-linux-\*.tar.xz are experimental packages containing a single standalone ``fish`` binary for any Linux with the given CPU architecture.*"
+    echo 'The files called ``fish-'"$version"'-linux-\*.tar.xz`` are experimental packages containing a single standalone ``fish`` binary for any Linux with the given CPU architecture.'
 } >"$relnotes_tmp/fake-workspace"/CHANGELOG.rst
 
 sphinx-build >&2 -j auto \

build_tools/release.sh

@@ -19,9 +19,12 @@ fi
 
 for tool in \
     bundle \
+    diff \
     gh \
+    gpg \
     jq \
     ruby \
+    tar \
     timeout \
 ; do
     if ! command -v "$tool" >/dev/null; then
@@ -30,6 +33,11 @@ for tool in \
     fi
 done
 
+committer=$(git var GIT_AUTHOR_IDENT)
+committer=${committer% *} # strip timezone
+committer=${committer% *} # strip timestamp
+gpg --local-user="$committer" --sign </dev/null >/dev/null
+
 repo_root="$(dirname "$0")/.."
 fish_site=$repo_root/../fish-site
 fish_site_repo=git@github.com:$repository_owner/fish-site
@@ -82,8 +90,8 @@ Created by ./build_tools/release.sh $version"
 
 CommitVersion "$version" "Release $version"
 
-# N.B. this is not GPG-signed.
-git tag --annotate --message="Release $version" $version
+git -c "user.signingKey=$committer" \
+    tag --sign --message="Release $version" $version
 
 git push $remote $version
 
@@ -108,13 +116,21 @@ done
 # Update fishshell.com
 tag_oid=$(git rev-parse "$version")
 tmpdir=$(mktemp -d)
+fish_tar_xz=fish-$version.tar.xz
+(
+    local_tarball=$tmpdir/local-tarball
+    mkdir "$local_tarball"
+    FISH_ARTEFACT_PATH=$local_tarball ./build_tools/make_tarball.sh
+    cd "$local_tarball"
+    tar xf "$fish_tar_xz"
+)
 # TODO This works on draft releases only if "gh" is configured to
 # have write access to the fish-shell repository. Unless we are fine
 # publishing the release at this point, we should at least fail if
 # "gh" doesn't have write access.
 while ! \
     gh release download "$version" --dir="$tmpdir" \
-        --pattern="fish-$version.tar.xz"
+        --pattern="$fish_tar_xz"
 do
     TIMEOUT=30 gh run watch "$run_id" ||:
     sleep 5
@@ -122,7 +138,16 @@ done
 actual_tag_oid=$(git ls-remote "$remote" |
     awk '$2 == "refs/tags/'"$version"'" { print $1 }')
 [ "$tag_oid" = "$actual_tag_oid" ]
-( cd "$tmpdir" && tar xf fish-$version.tar.xz )
+
+(
+    cd "$tmpdir"
+    tar xf "$fish_tar_xz"
+    diff -ur "fish-$version" "local-tarball/fish-$version"
+    gpg --local-user="$committer" --sign --detach --armor \
+        "$fish_tar_xz"
+    gh release upload "$version" "$fish_tar_xz.asc"
+)
+
 CopyDocs() {
     rm -rf "$fish_site/site/docs/$1"
     cp -r "$tmpdir/fish-$version/user_doc/html" "$fish_site/site/docs/$1"