From d33d27ee824d07b4c6373f05668078558a0e1e82 Mon Sep 17 00:00:00 2001
From: Elian Doran <contact@eliandoran.me>
Date: Thu, 14 Aug 2025 11:45:59 +0300
Subject: [PATCH] feat(forge): validate rpm signing

---
 .github/actions/build-electron/action.yml | 25 +++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml
index da4e94507..e48e2cc27 100644
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -55,12 +55,6 @@ runs:
       security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain
       security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain
 
-  - name: Import GPG signing key
-    if: inputs.os == 'linux'
-    shell: ${{ inputs.shell }}
-    run: |
-      echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
-
   - name: Set up Python and other macOS dependencies
     if: ${{ inputs.os == 'macos' }}
     shell: ${{ inputs.shell }}
@@ -168,3 +162,22 @@ runs:
         echo "Found ZIP: $zip_file"
         echo "Note: ZIP files are not code signed, but their contents should be"
       fi
+
+  - name: Import GPG signing key
+    if: inputs.os == 'linux'
+    shell: ${{ inputs.shell }}
+    run: |
+      echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
+
+      # Import the key into RPM for verification
+      gpg --export -a > pubkey
+      rpm --import pubkey
+      rm pubkey
+
+      # Validate code signing
+      rpm_file=$(find ./apps/desktop/dist -name "*.rpm" -print -quit)
+      if ! rpm -K "$rpm_file" | grep -q "digests signatures OK"; then
+        echo .rpm file not signed
+        rpm -Kv "$rpm_file"
+        exit 1
+      fi