2022-06-11 04:04:16 +02:00
|
|
|
# Verifiable Builds
|
2021-03-31 02:06:25 +02:00
|
|
|
|
2022-09-17 05:13:09 +02:00
|
|
|
GoReleaser has support for creating verifiable builds. A [verifiable build][vgo]
|
|
|
|
|
is one that records enough information to be precise about exactly how to repeat
|
|
|
|
|
it. All dependencies are loaded via `proxy.golang.org`, and verified against the
|
|
|
|
|
checksum database `sum.golang.org`. A GoReleaser-created verifiable build will
|
|
|
|
|
include module information in the resulting binary, which can be printed using
|
|
|
|
|
`go version -m mybinary`.
|
2021-03-31 02:06:25 +02:00
|
|
|
|
2021-09-16 19:31:57 +02:00
|
|
|
Configuration options available are described below.
|
2021-03-31 02:06:25 +02:00
|
|
|
|
|
|
|
|
```yaml
|
2021-12-23 02:52:01 +02:00
|
|
|
# goreleaser.yaml
|
2021-03-31 02:06:25 +02:00
|
|
|
|
|
|
|
|
gomod:
|
|
|
|
|
# Proxy a module from proxy.golang.org, making the builds verifiable.
|
2022-09-17 05:13:09 +02:00
|
|
|
# This will only be effective if running against a tag. Snapshots will ignore
|
|
|
|
|
# this setting.
|
2021-04-19 14:32:45 +02:00
|
|
|
# Notice: for this to work your `build.main` must be a package, not a `.go` file.
|
2021-03-31 02:06:25 +02:00
|
|
|
proxy: true
|
|
|
|
|
|
2022-09-17 05:13:09 +02:00
|
|
|
# If proxy is true, use these environment variables when running `go mod`
|
|
|
|
|
# commands (namely, `go mod tidy`).
|
2022-10-04 18:01:18 +02:00
|
|
|
#
|
|
|
|
|
# Default: `os.Environ()` merged with what you set the root `env` section.
|
2021-03-31 02:06:25 +02:00
|
|
|
env:
|
|
|
|
|
- GOPROXY=https://proxy.golang.org,direct
|
|
|
|
|
- GOSUMDB=sum.golang.org
|
|
|
|
|
- GOPRIVATE=example.com/blah
|
|
|
|
|
|
2022-03-17 13:53:39 +02:00
|
|
|
# Sets the `-mod` flag value.
|
2022-09-11 21:54:51 +02:00
|
|
|
#
|
2023-04-02 22:16:21 +02:00
|
|
|
# Since: v1.7
|
2022-03-17 13:53:39 +02:00
|
|
|
mod: mod
|
|
|
|
|
|
2021-03-31 02:06:25 +02:00
|
|
|
# Which Go binary to use.
|
2022-10-04 18:01:18 +02:00
|
|
|
#
|
|
|
|
|
# Default: `go`.
|
2022-03-17 04:37:29 +02:00
|
|
|
gobinary: go1.17
|
2021-03-31 02:06:25 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
!!! tip
|
2023-11-04 03:59:25 +02:00
|
|
|
|
2022-09-17 05:13:09 +02:00
|
|
|
You can use `debug.ReadBuildInfo()` to get the version/checksum/dependencies
|
|
|
|
|
of the module.
|
2021-03-31 02:06:25 +02:00
|
|
|
|
2022-10-26 03:16:06 +02:00
|
|
|
!!! warning
|
2023-11-04 03:59:25 +02:00
|
|
|
|
2022-10-26 03:16:06 +02:00
|
|
|
VCS Info will not be embedded in the binary, as in practice it is not being
|
|
|
|
|
built from the source, but from the Go Mod Proxy.
|
|
|
|
|
|
2023-11-04 03:59:25 +02:00
|
|
|
!!! warning
|
|
|
|
|
|
|
|
|
|
If you have a `go.work` file, make sure to run `go work sync`, so the main
|
|
|
|
|
module (`.`) is the first line inside the `use` block.
|
|
|
|
|
|
2021-03-31 02:06:25 +02:00
|
|
|
[vgo]: https://research.swtch.com/vgo-repro
|
