Skip to content

Disable APT repository signing/uploads #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jakub-tldr merged 3 commits into from
Jan 9, 2026
Merged

Disable APT repository signing/uploads #224

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c469c11
Disable APT repository signing/uploads
jakub-tldr Jan 9, 2026
af23f2d
Update package with vulnerability
jakub-tldr Jan 9, 2026
44e1aa4
Merge branch 'main' into disable_apt
jakub-tldr Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 0 additions & 50 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,20 +178,6 @@ jobs:
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
asset_content_type: application/octet-stream

- name: Install ruby with deb-s3
if: matrix.build == 'linux'
run: |
sudo apt-get install -y ruby
gem install deb-s3
echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH

- name: Upload DEB to apt repository
if: matrix.build == 'linux'
run: |
COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.

deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb

- name: Build RPM package
if: matrix.build == 'linux'
uses: bpicode/github-action-fpm@master
Expand All @@ -209,39 +195,3 @@ jobs:
asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_content_type: application/octet-stream

apt-sign:
needs:
- build-binaries
runs-on:
- self-hosted
- Linux
- X64
strategy:
fail-fast: false
steps:
- name: Sign APT repository on trixie
run: |
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
export AWS_REGION=eu-north-1
sudo apt update -y
sudo apt install -y awscli curl jq

for DIST in trixie; do
aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .

curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
-H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
-F "file=@Release" \
-o response.json

cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease

aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read

done
(aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
aws s3 cp index.html s3://apt.defguard.net/ --acl public-read