/
sign.go
151 lines (136 loc) · 3.88 KB
/
sign.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package sign
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"github.com/apex/log"
"github.com/goreleaser/goreleaser/internal/artifact"
"github.com/goreleaser/goreleaser/internal/ids"
"github.com/goreleaser/goreleaser/internal/logext"
"github.com/goreleaser/goreleaser/internal/pipe"
"github.com/goreleaser/goreleaser/internal/semerrgroup"
"github.com/goreleaser/goreleaser/internal/tmpl"
"github.com/goreleaser/goreleaser/pkg/config"
"github.com/goreleaser/goreleaser/pkg/context"
"github.com/pkg/errors"
)
// Pipe for artifact signing.
type Pipe struct{}
func (Pipe) String() string {
return "signing artifacts"
}
// Default sets the Pipes defaults.
func (Pipe) Default(ctx *context.Context) error {
var ids = ids.New("signs")
for i := range ctx.Config.Signs {
cfg := &ctx.Config.Signs[i]
if cfg.Cmd == "" {
cfg.Cmd = "gpg"
}
if cfg.Signature == "" {
cfg.Signature = "${artifact}.sig"
}
if len(cfg.Args) == 0 {
cfg.Args = []string{"--output", "$signature", "--detach-sig", "$artifact"}
}
if cfg.Artifacts == "" {
cfg.Artifacts = "none"
}
if cfg.ID == "" {
cfg.ID = "default"
}
ids.Inc(cfg.ID)
}
return ids.Validate()
}
// Run executes the Pipe.
func (Pipe) Run(ctx *context.Context) error {
if ctx.SkipSign {
return pipe.ErrSkipSignEnabled
}
var g = semerrgroup.New(ctx.Parallelism)
for i := range ctx.Config.Signs {
cfg := ctx.Config.Signs[i]
g.Go(func() error {
var filters []artifact.Filter
switch cfg.Artifacts {
case "checksum":
filters = append(filters, artifact.ByType(artifact.Checksum))
if len(cfg.IDs) > 0 {
log.Warn("when artifacts is `checksum`, `ids` has no effect. ignoring")
}
case "all":
filters = append(filters, artifact.Or(
artifact.ByType(artifact.UploadableArchive),
artifact.ByType(artifact.UploadableBinary),
artifact.ByType(artifact.UploadableSourceArchive),
artifact.ByType(artifact.Checksum),
artifact.ByType(artifact.LinuxPackage),
))
if len(cfg.IDs) > 0 {
filters = append(filters, artifact.ByIDs(cfg.IDs...))
}
case "none":
return pipe.ErrSkipSignEnabled
default:
return fmt.Errorf("invalid list of artifacts to sign: %s", cfg.Artifacts)
}
return sign(ctx, cfg, ctx.Artifacts.Filter(artifact.And(filters...)).List())
})
}
return g.Wait()
}
func sign(ctx *context.Context, cfg config.Sign, artifacts []*artifact.Artifact) error {
for _, a := range artifacts {
artifact, err := signone(ctx, cfg, a)
if err != nil {
return err
}
ctx.Artifacts.Add(artifact)
}
return nil
}
func signone(ctx *context.Context, cfg config.Sign, a *artifact.Artifact) (*artifact.Artifact, error) {
env := ctx.Env.Copy()
env["artifact"] = a.Path
env["signature"] = expand(cfg.Signature, env)
// nolint:prealloc
var args []string
for _, a := range cfg.Args {
var arg = expand(a, env)
arg, err := tmpl.New(ctx).WithEnv(env).Apply(arg)
if err != nil {
return nil, errors.Wrapf(err, "sign failed: %s: invalid template", a)
}
args = append(args, arg)
}
// The GoASTScanner flags this as a security risk.
// However, this works as intended. The nosec annotation
// tells the scanner to ignore this.
// #nosec
cmd := exec.CommandContext(ctx, cfg.Cmd, args...)
cmd.Stderr = logext.NewWriter(log.WithField("cmd", cfg.Cmd))
cmd.Stdout = cmd.Stderr
log.WithField("cmd", cmd.Args).Info("signing")
if err := cmd.Run(); err != nil {
return nil, fmt.Errorf("sign: %s failed", cfg.Cmd)
}
artifactPathBase, _ := filepath.Split(a.Path)
env["artifact"] = a.Name
name := expand(cfg.Signature, env)
sigFilename := filepath.Base(env["signature"])
return &artifact.Artifact{
Type: artifact.Signature,
Name: name,
Path: filepath.Join(artifactPathBase, sigFilename),
Extra: map[string]interface{}{
"ID": cfg.ID,
},
}, nil
}
func expand(s string, env map[string]string) string {
return os.Expand(s, func(key string) string {
return env[key]
})
}