From 5c81cc4cd242525423138b5b9188296dfa3b758a Mon Sep 17 00:00:00 2001
From: Igor Pecovnik <igor@armbian.com>
Date: Sun, 22 Jun 2025 22:21:33 +0200
Subject: [PATCH] APA: sign with multiple keys at once

---
 .github/workflows/build.yml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 230e707..c54af93 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,6 +47,9 @@ jobs:
           if-no-files-found: ignore
 
   merge:
+    env:
+      PRIMARY_KEY: ${{ secrets.GPG_KEY3 }}
+      SECONDARY_KEY: ${{ secrets.GPG_KEY4 }}
     name: "Merge artifacts and publish"
     needs: build-debs
     runs-on: ubuntu-latest
@@ -65,12 +68,28 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y reprepro
-      - name: Import GPG key
-        id: import_gpg
+      - name: Import PRIMARY GPG key
+        id: import_gpg_primary
+        if: env.PRIMARY_KEY != ''
         uses: crazy-max/ghaction-import-gpg@v6
         with:
-          gpg_private_key: ${{ secrets.GPG_KEY1 }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE1 }}
+          gpg_private_key: ${{ env.PRIMARY_KEY }}
+      - name: Import SECONDARY GPG key
+        id: import_gpg_secondary
+        if: env.SECONDARY_KEY != ''
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ env.SECONDARY_KEY }}
+      - name: Generate GPG_PARAMETERS array
+        id: build_gpg_parameters
+        env:
+          FPR_PRIMARY: ${{ steps.import_gpg_primary.outputs.fingerprint }}
+          FPR_SECONDARY: ${{ steps.import_gpg_secondary.outputs.fingerprint }}
+        run: |
+          GPG_PARAMETERS="--yes --armor"
+          [ -n "$FPR_PRIMARY" ] && GPG_PARAMETERS+=" -u $FPR_PRIMARY"
+          [ -n "$FPR_SECONDARY" ] && GPG_PARAMETERS+=" -u $FPR_SECONDARY"
+          echo "GPG_PARAMETERS=$GPG_PARAMETERS" >> "$GITHUB_ENV"
       - name: Create distribution repository and commit to data branch
         run: |
           git checkout --orphan data
@@ -79,6 +98,13 @@ jobs:
           git config --global user.email "github-actions@github.com"
           for file in debian/artifacts/*.changes; do reprepro -b debian/artifacts include current $file;done
           reprepro -b debian/artifacts export
+          echo "Sign repo with multiple keys"
+          find "debian/artifacts/dists" -type f -name Release | while read -r release_file; do
+            distro_path="$(dirname "$release_file")"
+            echo "Signing release at: $distro_path"
+            gpg ${{ env.GPG_PARAMETERS }} --clear-sign -o "$distro_path/InRelease" "$release_file"
+            gpg ${{ env.GPG_PARAMETERS }} --detach-sign -o "$distro_path/Release.gpg" "$release_file"
+          done
           git add debian/artifacts/{pool,dists}
           git diff --cached --quiet || git commit --allow-empty -m "Update published repository files"
           git push --force --set-upstream origin data