Add gpg verification

.drone.yml

@@ -72,8 +72,10 @@ steps:
   - echo "$${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
   - chmod 600 ~/.ssh/id_ed25519
   - echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
+  - echo "$${USER_PGP_PUBKEY}" > user.gpg && gpg --import user.gpg || true
   - git ls-remote --tags "${REPO_URL}" | grep -q "refs/tags/${REPO_TAG}" || { echo "No tag found (was looking for ${REPO_TAG})" >&2; exit 1; }
-  - git clone --depth 1 --branch $$(git ls-remote --tags "${REPO_URL}" | grep "refs/tags/${REPO_TAG}" | tail -n 1 | sed 's@/@ @;s@/@ @' | awk '{ print $$4 }') ${REPO_URL} "/work/${LOGIN}"
+  - git clone --depth 1 --branch $$(git ls-remote --tags "${REPO_URL}" | grep "refs/tags/${REPO_TAG}" | tail -n 1 | sed 's@/@ @;s@/@ @;s@\^{}$@@' | awk '{ print $$4 }') ${REPO_URL} "/work/${LOGIN}"
+  - git -C "/work/${LOGIN}" verify-tag --raw $$(git ls-remote --tags "${REPO_URL}" | grep "refs/tags/${REPO_TAG}" | tail -n 1 | sed 's@/@ @;s@/@ @;s@\^{}$@@' | awk '{ print $$4 }') || echo "Tag verification failed"
   - tar cJf "/work/rendu-${LOGIN}.tar.xz" --exclude-vcs -C /work "${LOGIN}/"
   - "echo -e '{\"filename\": \"rendu-${LOGIN}.tar.xz\", \"size\": '$$(du -s ${LOGIN}/ | awk \'{ print $1 }\')', \"date_now\": \"'$$(date -Iseconds)'\", \"date\": \"'$$(git -C \'/work/${LOGIN}\' log -1 --format=%cd --date=iso-strict)'\", \"tag\": \"'$(git -C \'/work/${LOGIN}\' describe --tags)'\", \"commit\": \"'$$(git -C \'/work/${LOGIN}\' rev-parse HEAD)'\"}' >> /work/rendu-${LOGIN}.metadata"
   - "[ -x \"checks-${DEST}.sh\" ] && \"./checks-${DEST}.sh\" '/work/${LOGIN}/' > /work/rendu-${LOGIN}.checks || true"

Dockerfile

@@ -1,3 +1,3 @@
 FROM alpine:3.16
 
-RUN apk add --no-cache gawk git tar openssh-client-default xz
+RUN apk add --no-cache gawk git gnupg tar openssh-client-default xz