2017-12-13 17:14:01 +01:00
|
|
|
---
|
|
|
|
title: Signing
|
2018-04-24 22:20:12 -07:00
|
|
|
series: customization
|
|
|
|
hideFromIndex: true
|
|
|
|
weight: 60
|
2017-12-13 17:14:01 +01:00
|
|
|
---
|
|
|
|
|
|
|
|
GoReleaser can sign some or all of the generated artifacts. Signing ensures
|
|
|
|
that the artifacts have been generated by yourself and your users can verify
|
|
|
|
that by comparing the generated signature with your public signing key.
|
|
|
|
|
|
|
|
Signing works in combination with checksum files and it is generally sufficient
|
2017-12-13 22:57:24 +01:00
|
|
|
to sign the checksum files only.
|
2017-12-13 17:14:01 +01:00
|
|
|
|
|
|
|
The default is configured to create a detached signature for the checksum files
|
2017-12-20 11:32:21 +01:00
|
|
|
with [GnuPG](https://www.gnupg.org/) and your default key. To enable signing
|
2017-12-13 17:14:01 +01:00
|
|
|
just add
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
# goreleaser.yml
|
|
|
|
sign:
|
|
|
|
artifacts: checksum
|
|
|
|
```
|
|
|
|
|
|
|
|
To customize the signing pipeline you can use the following options:
|
|
|
|
|
|
|
|
```yml
|
|
|
|
# .goreleaser.yml
|
|
|
|
sign:
|
2017-12-13 22:57:24 +01:00
|
|
|
# name of the signature file.
|
2017-12-16 22:24:40 +01:00
|
|
|
# '${artifact}' is the path to the artifact that should be signed.
|
2017-12-13 17:14:01 +01:00
|
|
|
#
|
|
|
|
# signature: "${artifact}.sig"
|
|
|
|
|
|
|
|
# path to the signature command
|
|
|
|
#
|
|
|
|
# cmd: gpg
|
|
|
|
|
|
|
|
# command line arguments for the command
|
|
|
|
#
|
|
|
|
# to sign with a specific key use
|
|
|
|
# args: ["-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]
|
|
|
|
#
|
|
|
|
# args: ["--output", "${signature}", "--detach-sign", "${artifact}"]
|
|
|
|
|
|
|
|
|
|
|
|
# which artifacts to sign
|
|
|
|
#
|
|
|
|
# checksum: only checksum file(s)
|
|
|
|
# all: all artifacts
|
|
|
|
# none: no signing
|
|
|
|
#
|
|
|
|
# artifacts: none
|
|
|
|
```
|