From 3f092612519928f164335904f2cb9914d2559610 Mon Sep 17 00:00:00 2001
From: Austin Lane <vidplace7@gmail.com>
Date: Fri, 10 Oct 2025 18:44:01 -0400
Subject: [PATCH] CI: Detached signatures for firmware binaries

---
 .github/workflows/build_firmware.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.github/workflows/build_firmware.yml b/.github/workflows/build_firmware.yml
index b62729332..f03652c05 100644
--- a/.github/workflows/build_firmware.yml
+++ b/.github/workflows/build_firmware.yml
@@ -45,6 +45,13 @@ jobs:
             echo "tgt=release/bleota.bin" >> $GITHUB_OUTPUT
           fi
 
+      - name: Import GPG key
+        if: github.repository == 'meshtastic/firmware'
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.PPA_GPG_PRIVATE_KEY }}
+        id: gpg
+
       - name: Build ${{ inputs.platform }}
         id: build
         uses: meshtastic/gh-action-firmware@main
@@ -55,6 +62,18 @@ jobs:
           ota_firmware_source: ${{ steps.ota_dir.outputs.src || '' }}
           ota_firmware_target: ${{ steps.ota_dir.outputs.tgt || '' }}
 
+      - name: Sign firmware
+        working-directory: release
+        if: github.repository == 'meshtastic/firmware'
+        env:
+          GPG_KEY_ID: ${{ steps.gpg.outputs.keyid }}
+        run: |
+          for f in *.bin *.elf *.uf2 *.hex *.zip; do
+            if [ -f "$f" ]; then
+              gpg --batch --default-key "$GPG_KEY_ID" --output "$f.sig" --detach-sign "$f"
+            fi
+          done
+
       - name: Store binaries as an artifact
         uses: actions/upload-artifact@v4
         id: upload
@@ -67,3 +86,4 @@ jobs:
             release/*.uf2
             release/*.hex
             release/*-ota.zip
+            release/*.sig