goreleaser/www/content/sign.md

---
title: Signing
series: customization
hideFromIndex: true
weight: 60
---

GoReleaser can sign some or all of the generated artifacts. Signing ensures
that the artifacts have been generated by yourself and your users can verify
that by comparing the generated signature with your public signing key.

Signing works in combination with checksum files and it is generally sufficient
to sign the checksum files only.

The default is configured to create a detached signature for the checksum files
with [GnuPG](https://www.gnupg.org/) and your default key. To enable signing
just add

```yaml
# goreleaser.yml
signs:
  - artifacts: checksum
```

To customize the signing pipeline you can use the following options:

```yml
# .goreleaser.yml
signs:
  -
    # ID of the sign config, must be unique.
    # Defaults to "default".
    id: foo

    # name of the signature file.
    # '${artifact}' is the path to the artifact that should be signed.
    #
    # defaults to `${artifact}.sig`
    signature: "${artifact}_sig"

    # path to the signature command
    #
    # defaults to `gpg`
    cmd: gpg2

    # command line arguments for the command
    #
    # to sign with a specific key use
    # args: ["-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]
    #
    # defaults to `["--output", "${signature}", "--detach-sign", "${artifact}"]`
    args: ["--output", "${signature}", "${artifact}"]


    # which artifacts to sign
    #
    #   checksum: only checksum file(s)
    #   all:      all artifacts
    #   none:     no signing
    #
    # defaults to `none`
    artifacts: all

    # IDs of the artifacts to sign.
    # Defaults to all.
    # If `artifacts` is checksum, this fields has no effect.
    ids:
      - foo
      - bar
```

## Signing with gon

You can use [gon][] to create notarized macOS apps. Here's an example config:

```yaml
builds:
- binary: foo
  id: foo
  goos:
  - linux
  - windows
  goarch:
  - amd64
# notice that we need a separated build for the macos binary only:
- binary: foo
  id: foo-macos
  goos:
  - darwin
  goarch:
  - amd64
signs:
  - signature: "${artifact}.dmg"
    ids:
    - foo-macos # here we filter the macos only build id
    # you'll need to have gon on PATH
    cmd: gon
    # you can follow the gon docs to properly create the gon.hcl config file:
    # https://github.com/mitchellh/gon
    args:
    - gon.hcl
    artifacts: all
```

Note that notarizing take some time, and will need to be run from a macOS machine.

You can also check [this issue](https://github.com/goreleaser/goreleaser/issues/1227) for more details.

[gon]: https://github.com/mitchellh/gon
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00			`---`
			`title: Signing`
docs: starting to re-work the docs site 2018-04-25 07:20:12 +02:00			`series: customization`
			`hideFromIndex: true`
			`weight: 60`
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00			`---`

			`GoReleaser can sign some or all of the generated artifacts. Signing ensures`
			`that the artifacts have been generated by yourself and your users can verify`
			`that by comparing the generated signature with your public signing key.`

			`Signing works in combination with checksum files and it is generally sufficient`
test: add test for sign pipeline The unit tests needs a test key to work with. I have tried to create a test keyring on the fly and while that worked I was not able to successfully sign with that. gpg would bail with an ioctl error which I didn't track down since using a static key works. 2017-12-13 23:57:24 +02:00			`to sign the checksum files only.`
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00
			`The default is configured to create a detached signature for the checksum files`
docs: fix several typos 2017-12-20 12:32:21 +02:00			`with [GnuPG](https://www.gnupg.org/) and your default key. To enable signing`
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00			`just add`

			```yaml
			`# goreleaser.yml`
feat: multiple sign (#1088) Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2019-07-21 23:46:46 +02:00			`signs:`
			`- artifacts: checksum`
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00			```

			`To customize the signing pipeline you can use the following options:`

			```yml
			`# .goreleaser.yml`
feat: multiple sign (#1088) Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2019-07-21 23:46:46 +02:00			`signs:`
			`-`
feat(sign): id, concurrent map (#1321) * feat(sign): id, concurrent map Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: more tests Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> * fix: comments Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2020-01-30 05:21:45 +02:00			`# ID of the sign config, must be unique.`
			`# Defaults to "default".`
			`id: foo`

feat: multiple sign (#1088) Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2019-07-21 23:46:46 +02:00			`# name of the signature file.`
			`# '${artifact}' is the path to the artifact that should be signed.`
			`#`
			# defaults to `${artifact}.sig`
			`signature: "${artifact}_sig"`

			`# path to the signature command`
			`#`
			# defaults to `gpg`
			`cmd: gpg2`

			`# command line arguments for the command`
			`#`
			`# to sign with a specific key use`
			`# args: ["-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]`
			`#`
			# defaults to `["--output", "${signature}", "--detach-sign", "${artifact}"]`
			`args: ["--output", "${signature}", "${artifact}"]`


			`# which artifacts to sign`
			`#`
			`# checksum: only checksum file(s)`
			`# all: all artifacts`
			`# none: no signing`
			`#`
			# defaults to `none`
			`artifacts: all`
feat: filter by id on sign pipe (#1233) Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2019-11-08 14:10:56 +02:00
			`# IDs of the artifacts to sign.`
			`# Defaults to all.`
			# If `artifacts` is checksum, this fields has no effect.
			`ids:`
			`- foo`
			`- bar`
feat: add artifact sign pipeline This patch adds a generic artifact signing pipeline. Fixes #166 2017-12-13 18:14:01 +02:00			```
docs: signing with mitchellh/gon (#1277) Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com> 2019-12-27 04:14:40 +02:00
			`## Signing with gon`

			`You can use [gon][] to create notarized macOS apps. Here's an example config:`

			```yaml
			`builds:`
			`- binary: foo`
			`id: foo`
			`goos:`
			`- linux`
			`- windows`
			`goarch:`
			`- amd64`
			`# notice that we need a separated build for the macos binary only:`
			`- binary: foo`
			`id: foo-macos`
			`goos:`
			`- darwin`
			`goarch:`
			`- amd64`
			`signs:`
			`- signature: "${artifact}.dmg"`
			`ids:`
			`- foo-macos # here we filter the macos only build id`
			`# you'll need to have gon on PATH`
			`cmd: gon`
			`# you can follow the gon docs to properly create the gon.hcl config file:`
			`# https://github.com/mitchellh/gon`
			`args:`
			`- gon.hcl`
			`artifacts: all`
			```

			`Note that notarizing take some time, and will need to be run from a macOS machine.`

			`You can also check [this issue](https://github.com/goreleaser/goreleaser/issues/1227) for more details.`

			`[gon]: https://github.com/mitchellh/gon`