strombetta · strombetta · Feb 2, 2026 · Feb 2, 2026
@@ -113,6 +113,71 @@ jobs:
             echo "PRERELEASE=false" >> "$GITHUB_ENV"
           fi
 
+      - name: Install signing tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y minisign gnupg
+
+      - name: Generate SHA256SUMS and signatures
+        env:
+          MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }}
+          MINISIGN_PUB: ${{ secrets.MINISIGN_PUB }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${MINISIGN_KEY:-}" ] || [ -z "${MINISIGN_PUB:-}" ]; then
+            echo "Missing minisign secrets (MINISIGN_KEY / MINISIGN_PUB)." >&2
+            exit 1
+          fi
+          if [ -z "${GPG_PRIVATE_KEY:-}" ]; then
+            echo "Missing GPG_PRIVATE_KEY secret." >&2
+            exit 1
+          fi
+
+          mkdir -p out dist
+          printf '%s' "$MINISIGN_KEY" | base64 -d > out/minisign.key
+          printf '%s' "$MINISIGN_PUB" | base64 -d > out/minisign.pub
+          chmod 600 out/minisign.key
+          cp out/minisign.pub dist/minisign.pub
+
+          export GNUPGHOME
+          GNUPGHOME="$(mktemp -d)"
+          trap 'rm -rf "$GNUPGHOME"' EXIT
+          printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import
+          key_id="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec" {print $5; exit}')"
+          if [ -z "$key_id" ]; then
+            echo "No GPG secret key imported." >&2
+            exit 1
+          fi
+
+          mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z)
+          if [ "${#files[@]}" -eq 0 ]; then
+            echo "No toolchain tarballs found under dist/." >&2
+            exit 1
+          fi
+
+          sha256sum "${files[@]}" > dist/SHA256SUMS
+
+          minisign -S -s out/minisign.key -p out/minisign.pub -m dist/SHA256SUMS
+          if [ -n "${GPG_PASSPHRASE:-}" ]; then
+            gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \
+              --local-user "$key_id" --armor --detach-sign -o dist/SHA256SUMS.asc dist/SHA256SUMS
+          else
+            gpg --batch --yes --local-user "$key_id" --armor --detach-sign -o dist/SHA256SUMS.asc dist/SHA256SUMS
+          fi
+
+          for f in "${files[@]}"; do
+            minisign -S -s out/minisign.key -p out/minisign.pub -m "$f"
+            if [ -n "${GPG_PASSPHRASE:-}" ]; then
+              gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \
+                --local-user "$key_id" --armor --detach-sign -o "$f.asc" "$f"
+            else
+              gpg --batch --yes --local-user "$key_id" --armor --detach-sign -o "$f.asc" "$f"
+            fi
+          done
+
       - name: Publish GitHub Release
         uses: softprops/action-gh-release@v2
         with:
@@ -129,3 +194,11 @@ jobs:
           files: |
             dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz
             dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.minisig
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.minisig
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.asc
+            dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.asc
+            dist/SHA256SUMS
+            dist/SHA256SUMS.minisig
+            dist/SHA256SUMS.asc
+            dist/minisign.pub