fix: signature template failed silently after signing process completed (#5148)

The presence of an artifact field in the `signature` or `certificate` template field caused a silent failure in the template when re-applied after the external signing process was called. This was due to the artifact being presence in the template context before the signing process, but not after. An error here was also ignored. The fix supplies the artifact to the template context, and also allows a template failure to fail the overall process. As far as I can tell, this change aligns behaviour to match existing documentation. Fixes #5147
2025-03-17 20:47:50 +02:00 · 2024-09-23 22:14:26 +10:00 · 2024-09-23 22:14:26 +10:00 · 2bdfbdcbfe
commit 2bdfbdcbfe
parent d456f7937b
2 changed files with 39 additions and 11 deletions
--- a/internal/pipe/sign/sign.go
+++ b/internal/pipe/sign/sign.go
@ -255,8 +255,14 @@ func signone(ctx *context.Context, cfg config.Sign, art *artifact.Artifact) ([]*

 	// re-execute template results, using artifact desc as artifact so they eval to the actual needed file desc.
 	env["artifact"] = art.Name
-	name, _ = tmpl.New(ctx).WithEnv(env).Apply(expand(cfg.Signature, env))   // could never error as it passed the previous check
-	cert, _ = tmpl.New(ctx).WithEnv(env).Apply(expand(cfg.Certificate, env)) // could never error as it passed the previous check
+	name, err = tmpl.New(ctx).WithArtifact(art).WithEnv(env).Apply(expand(cfg.Signature, env))
+	if err != nil {
+		return nil, fmt.Errorf("sign failed: %s: %w", art.Name, err)
+	}
+	cert, err = tmpl.New(ctx).WithArtifact(art).WithEnv(env).Apply(expand(cfg.Certificate, env))
+	if err != nil {
+		return nil, fmt.Errorf("sign failed: %s: %w", art.Name, err)
+	}

 	if cfg.Signature != "" {
 		result = append(result, &artifact.Artifact{
--- a/internal/pipe/sign/sign_binary_test.go
+++ b/internal/pipe/sign/sign_binary_test.go
@ -93,17 +93,19 @@ func TestBinarySign(t *testing.T) {
 		require.NoError(tb, os.WriteFile(filepath.Join(tmpdir, "bin2"), []byte("foo"), 0o644))

 		ctx.Artifacts.Add(&artifact.Artifact{
-			Name: "bin1",
-			Path: filepath.Join(tmpdir, "bin1"),
-			Type: artifact.Binary,
+			Name:   "bin1",
+			Path:   filepath.Join(tmpdir, "bin1"),
+			Type:   artifact.Binary,
+			Goarch: "amd64",
 			Extra: map[string]interface{}{
 				artifact.ExtraID: "foo",
 			},
 		})
 		ctx.Artifacts.Add(&artifact.Artifact{
-			Name: "bin2",
-			Path: filepath.Join(tmpdir, "bin2"),
-			Type: artifact.Binary,
+			Name:   "bin2",
+			Path:   filepath.Join(tmpdir, "bin2"),
+			Type:   artifact.Binary,
+			Goarch: "arm64",
 			Extra: map[string]interface{}{
 				artifact.ExtraID: "bar",
 			},
@ -113,9 +115,9 @@ func TestBinarySign(t *testing.T) {
 		require.NoError(tb, pipe.Default(ctx))

 		for i := range ctx.Config.BinarySigns {
-			ctx.Config.BinarySigns[i].Args = append(
-				[]string{"--homedir", keyring},
-				ctx.Config.BinarySigns[i].Args...,
+			ctx.Config.BinarySigns[i].Env = append(
+				ctx.Config.BinarySigns[i].Env,
+				"GNUPGHOME="+keyring,
 			)
 		}
 		require.NoError(tb, pipe.Run(ctx))
@ -129,6 +131,26 @@ func TestBinarySign(t *testing.T) {
 		require.Len(t, sigs, 2)
 	})

+	t.Run("templated-signature", func(t *testing.T) {
+		sigs := doTest(t, config.Sign{
+			Signature: "prefix_{{ .Arch }}_suffix",
+			Cmd:       "/bin/sh",
+			Args: []string{
+				"-c",
+				`echo "siging signature=$signature artifact=$artifact"`,
+				"shell",
+			},
+		})
+		require.Len(t, sigs, 2)
+		require.Equal(t,
+			[]*artifact.Artifact{
+				{Name: "prefix_amd64_suffix", Path: "prefix_amd64_suffix", Type: 13, Extra: artifact.Extras{"ID": "default"}},
+				{Name: "prefix_arm64_suffix", Path: "prefix_arm64_suffix", Type: 13, Extra: artifact.Extras{"ID": "default"}},
+			},
+			sigs,
+		)
+	})
+
 	t.Run("filter", func(t *testing.T) {
 		sigs := doTest(t, config.Sign{
 			ID:  "bar",