go/goreleaser
go/goreleaser
1
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-03-19 20:57:53 +02:00
Code Issues Releases Activity
goreleaser/www/docs/customization/binary_sign.md
Carlos Alexandro Becker a23c9df16b
docs: minor docs improvements (#5320) 
- better styling
- short codes
- no 404 on unreleased `Since: ` block
2024-11-29 11:17:45 -03:00

147 lines
4.1 KiB
Markdown
Raw Permalink Blame History

# Signing Binaries
<!-- md:version v2.2 -->
This can be used to archive the binaries with their signatures, instead of
signing the whole archive.
The default is configured to create a detached signature for the checksum files
with [GnuPG](https://www.gnupg.org/), and your default key.
To enable binary signing just add this to your configuration:
```yaml title=".goreleaser.yaml"
binary_signs:
- {}
```
To customize the binary signing pipeline you can use the following options:
```yaml title=".goreleaser.yaml"
binary_signs:
- #
# ID of the sign config, must be unique.
#
# Default: 'default'.
id: foo
# Name of the signature file.
#
# Default: '${artifact}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'.
# Templates: allowed.
signature: "${artifact}_sig"
# Path to the signature command
#
# Default: 'gpg'.
cmd: gpg2
# Command line arguments for the command
#
# to sign with a specific key use
# args: ["-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]
#
# Default: ["--output", "${signature}", "--detach-sign", "${artifact}"].
# Templates: allowed.
args: ["--output", "${signature}", "${artifact}", "{{ .ProjectName }}"]
# Which artifacts to sign
#
# Valid options are:
# - none no signing
# - binary: the binaries
#
# Default: 'binary'.
artifacts: binary
# IDs of the artifacts to sign.
#
# If `artifacts` is checksum or source, this fields has no effect.
ids:
- foo
- bar
# Allows to further filter the artifacts.
#
# Artifacts that do not match this expression will be ignored.
#
# Pro only.
# Templates: allowed.
if: '{{ eq .Os "linux" }}'
# Stdin data to be given to the signature command as stdin.
#
# Templates: allowed.
stdin: "{{ .Env.GPG_PASSWORD }}"
# StdinFile file to be given to the signature command as stdin.
stdin_file: ./.password
# Sets a certificate that your signing command should write to.
#
# You can later use `${certificate}` or `.Env.certificate` in the `args` section.
#
# This is particularly useful for keyless signing with cosign, and should
# not usually be used otherwise.
#
# Note that this should be a name, not a path.
#
# Templates: allowed.
certificate: '{{ trimsuffix .Env.artifact ".tar.gz" }}.pem'
# List of environment variables that will be passed to the signing command
# as well as the templates.
env:
- FOO=bar
- HONK=honkhonk
# By default, the stdout and stderr of the signing cmd are discarded unless
# GoReleaser is running with `--verbose` set.
# You can set this to true if you want them to be displayed regardless.
output: true
```
### Available variable names
These environment variables might be available in the fields that accept
templates:
- `${artifact}`: the path to the artifact that will be signed
- `${artifactID}`: the ID of the artifact that will be signed
- `${certificate}`: the certificate filename, if provided
- `${signature}`: the signature filename
### Differences from the default `signs`
The only difference is the artifact filtering and that this pipe also runs in
the build phase.
In `signs`, if you set `artifacts` to `binary`, it'll only work if you also set
`archives` `format` to `binary`.
Here, it'll work anyway.
## Signing with cosign
You can sign your artifacts with [cosign][] as well.
Assuming you have a `cosign.key` in the repository root and a `COSIGN_PWD`
environment variable set, a simple usage example would look like this:
```yaml title=".goreleaser.yaml"
binary_signs:
- cmd: cosign
stdin: "{{ .Env.COSIGN_PWD }}"
args:
- "sign-blob"
- "--key=cosign.key"
- "--output-signature=${signature}"
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+
```
Your users can then verify the signature with:
```sh
cosign verify-blob -key cosign.pub -signature binary.sig binary
```
Reference in New Issue View Git Blame Copy Permalink