mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-01-08 03:31:59 +02:00
64b1f14a86
* refactor: merging archive in the same repo * refactor: merging archive in the same repo * refactor: better organizing packages * refactor: fixing renames * fix: new dep version * fix: makefile * fix: zip/tar tests * fix: gitigonore * fix: s3 tests * fix: archive test
114 lines
2.6 KiB
Go
114 lines
2.6 KiB
Go
package sign
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
|
|
"github.com/goreleaser/goreleaser/internal/artifact"
|
|
"github.com/goreleaser/goreleaser/internal/pipeline"
|
|
"github.com/goreleaser/goreleaser/pkg/context"
|
|
)
|
|
|
|
// Pipe for artifact signing.
|
|
type Pipe struct{}
|
|
|
|
func (Pipe) String() string {
|
|
return "signing artifacts"
|
|
}
|
|
|
|
// Default sets the Pipes defaults.
|
|
func (Pipe) Default(ctx *context.Context) error {
|
|
cfg := &ctx.Config.Sign
|
|
if cfg.Cmd == "" {
|
|
cfg.Cmd = "gpg"
|
|
}
|
|
if cfg.Signature == "" {
|
|
cfg.Signature = "${artifact}.sig"
|
|
}
|
|
if len(cfg.Args) == 0 {
|
|
cfg.Args = []string{"--output", "$signature", "--detach-sig", "$artifact"}
|
|
}
|
|
if cfg.Artifacts == "" {
|
|
cfg.Artifacts = "none"
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Run executes the Pipe.
|
|
func (Pipe) Run(ctx *context.Context) error {
|
|
if ctx.SkipSign {
|
|
return pipeline.ErrSkipSignEnabled
|
|
}
|
|
|
|
switch ctx.Config.Sign.Artifacts {
|
|
case "checksum":
|
|
return sign(ctx, ctx.Artifacts.Filter(artifact.ByType(artifact.Checksum)).List())
|
|
case "all":
|
|
return sign(ctx, ctx.Artifacts.Filter(
|
|
artifact.Or(
|
|
artifact.ByType(artifact.UploadableArchive),
|
|
artifact.ByType(artifact.UploadableBinary),
|
|
artifact.ByType(artifact.Checksum),
|
|
artifact.ByType(artifact.LinuxPackage),
|
|
)).List())
|
|
case "none":
|
|
return pipeline.ErrSkipSignEnabled
|
|
default:
|
|
return fmt.Errorf("invalid list of artifacts to sign: %s", ctx.Config.Sign.Artifacts)
|
|
}
|
|
}
|
|
|
|
func sign(ctx *context.Context, artifacts []artifact.Artifact) error {
|
|
// nolint:prealloc
|
|
var sigs []string
|
|
for _, a := range artifacts {
|
|
sig, err := signone(ctx, a)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
sigs = append(sigs, sig)
|
|
}
|
|
for _, sig := range sigs {
|
|
ctx.Artifacts.Add(artifact.Artifact{
|
|
Type: artifact.Signature,
|
|
Name: sig,
|
|
Path: filepath.Join(ctx.Config.Dist, sig),
|
|
})
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func signone(ctx *context.Context, artifact artifact.Artifact) (string, error) {
|
|
cfg := ctx.Config.Sign
|
|
|
|
env := map[string]string{
|
|
"artifact": artifact.Path,
|
|
}
|
|
env["signature"] = expand(cfg.Signature, env)
|
|
|
|
// nolint:prealloc
|
|
var args []string
|
|
for _, a := range cfg.Args {
|
|
args = append(args, expand(a, env))
|
|
}
|
|
|
|
// The GoASTScanner flags this as a security risk.
|
|
// However, this works as intended. The nosec annotation
|
|
// tells the scanner to ignore this.
|
|
// #nosec
|
|
cmd := exec.CommandContext(ctx, cfg.Cmd, args...)
|
|
output, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return "", fmt.Errorf("sign: %s failed with %q", cfg.Cmd, string(output))
|
|
}
|
|
return filepath.Base(env["signature"]), nil
|
|
}
|
|
|
|
func expand(s string, env map[string]string) string {
|
|
return os.Expand(s, func(key string) string {
|
|
return env[key]
|
|
})
|
|
}
|