ci: add gpg signing for RPM packages (#4056)

.github/workflows/reusable-release.yaml

@@ -75,6 +75,12 @@ jobs:
           args: mod -licenses -json -output bom.json
           version: ^v1
 
+      - name: "save gpg key"
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" > gpg.key
+
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
@@ -82,6 +88,12 @@ jobs:
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_FILE: "gpg.key"
+
+      - name: "remove gpg key"
+        run: |
+          rm gpg.key
 
       # Push images to registries (only for canary build)
       # The custom Dockerfile.canary is necessary

.github/workflows/test.yaml

@@ -134,4 +134,5 @@ jobs:
       with:
         version: v1.16.2
         args: release --skip-sign --snapshot --clean --skip-publish --timeout 90m
-
+      env:
+        GPG_FILE: "nogpg.key"

docs/getting-started/installation.md

@@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr
     [trivy]
     name=Trivy repository
     baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
-    gpgcheck=0
+    gpgcheck=1
     enabled=1
+    gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
     EOF
     sudo yum -y update
     sudo yum -y install trivy

goreleaser.yml

@@ -74,6 +74,9 @@ nfpms:
     contents:
      - src: contrib/*.tpl
        dst: /usr/local/share/trivy/templates
+    rpm:
+      signature:
+         key_file: '{{ .Env.GPG_FILE }}'
 
 archives:
   -