From 17e56747cca3e29265ab97b378de93e7091b9aa0 Mon Sep 17 00:00:00 2001
From: Jonathan Lloyd <jonathan@thisisjonathan.com>
Date: Thu, 5 Nov 2020 21:47:55 +0000
Subject: [PATCH] feat: add packager-specific nfpm config (#1849)

* feat: Add deb packager-specific nfpm config (#1829)

* Use env vars containing nfpm ids for deb pgp passphrase

* Add docs for nfpm id in env var

* Custon -> Custom

* Switch test cases

* Forward RPM specific config to nfpm

* Document rpm-specific nfpm config

* Add APK-specific nfpm config

* Document apk-specific nfpm config

* avaiable -> available

* Add deb scripts templates to nfpm config
---
 internal/pipe/nfpm/nfpm.go              |  57 +++++++
 internal/pipe/nfpm/nfpm_test.go         | 214 ++++++++++++++++++++++++
 internal/pipe/nfpm/testdata/privkey.gpg | Bin 0 -> 2932 bytes
 internal/pipe/nfpm/testdata/rsa.priv    |  30 ++++
 pkg/config/config.go                    |  68 ++++++++
 www/docs/customization/nfpm.md          |  77 +++++++++
 6 files changed, 446 insertions(+)
 create mode 100644 internal/pipe/nfpm/testdata/privkey.gpg
 create mode 100644 internal/pipe/nfpm/testdata/rsa.priv

diff --git a/internal/pipe/nfpm/nfpm.go b/internal/pipe/nfpm/nfpm.go
index 7162ef8f75f..c507cafa46f 100644
--- a/internal/pipe/nfpm/nfpm.go
+++ b/internal/pipe/nfpm/nfpm.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/apex/log"
 	"github.com/goreleaser/nfpm"
@@ -173,6 +174,43 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 				PreRemove:   overridden.Scripts.PreRemove,
 				PostRemove:  overridden.Scripts.PostRemove,
 			},
+			Deb: nfpm.Deb{
+				Scripts: nfpm.DebScripts{
+					Rules:     overridden.Deb.Scripts.Rules,
+					Templates: overridden.Deb.Scripts.Templates,
+				},
+				Triggers: nfpm.DebTriggers{
+					Interest:        overridden.Deb.Triggers.Interest,
+					InterestAwait:   overridden.Deb.Triggers.InterestAwait,
+					InterestNoAwait: overridden.Deb.Triggers.InterestNoAwait,
+					Activate:        overridden.Deb.Triggers.Activate,
+					ActivateAwait:   overridden.Deb.Triggers.ActivateAwait,
+					ActivateNoAwait: overridden.Deb.Triggers.ActivateNoAwait,
+				},
+				Breaks:          overridden.Deb.Breaks,
+				VersionMetadata: overridden.Deb.VersionMetadata,
+				Signature: nfpm.DebSignature{
+					KeyFile:       overridden.Deb.Signature.KeyFile,
+					KeyPassphrase: getPassphraseFromEnv(ctx, "DEB", fpm.ID),
+					Type:          overridden.Deb.Signature.Type,
+				},
+			},
+			RPM: nfpm.RPM{
+				Group:                overridden.RPM.Group,
+				Compression:          overridden.RPM.Compression,
+				ConfigNoReplaceFiles: overridden.RPM.ConfigNoReplaceFiles,
+				Signature: nfpm.RPMSignature{
+					KeyFile:       overridden.RPM.Signature.KeyFile,
+					KeyPassphrase: getPassphraseFromEnv(ctx, "RPM", fpm.ID),
+				},
+			},
+			APK: nfpm.APK{
+				Signature: nfpm.APKSignature{
+					KeyFile:       overridden.APK.Signature.KeyFile,
+					KeyPassphrase: getPassphraseFromEnv(ctx, "APK", fpm.ID),
+					KeyName:       overridden.APK.Signature.KeyName,
+				},
+			},
 		},
 	}
 
@@ -214,3 +252,22 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 	})
 	return nil
 }
+
+func getPassphraseFromEnv(ctx *context.Context, packager string, nfpmID string) string {
+	var passphrase string
+
+	nfpmID = strings.ToUpper(nfpmID)
+	packagerSpecificPassphrase := ctx.Env[fmt.Sprintf(
+		"NFPM_%s_%s_PASSPHRASE",
+		nfpmID,
+		packager,
+	)]
+	if packagerSpecificPassphrase != "" {
+		passphrase = packagerSpecificPassphrase
+	} else {
+		generalPassphrase := ctx.Env[fmt.Sprintf("NFPM_%s_PASSPHRASE", nfpmID)]
+		passphrase = generalPassphrase
+	}
+
+	return passphrase
+}
diff --git a/internal/pipe/nfpm/nfpm_test.go b/internal/pipe/nfpm/nfpm_test.go
index a6cac11aac2..f99ef426375 100644
--- a/internal/pipe/nfpm/nfpm_test.go
+++ b/internal/pipe/nfpm/nfpm_test.go
@@ -347,6 +347,220 @@ func TestOverrides(t *testing.T) {
 	require.Equal(t, "bar", merged.FileNameTemplate)
 }
 
+func TestDebSpecificConfig(t *testing.T) {
+	folder, err := ioutil.TempDir("", "archivetest")
+	require.NoError(t, err)
+	var dist = filepath.Join(folder, "dist")
+	require.NoError(t, os.Mkdir(dist, 0755))
+	require.NoError(t, os.Mkdir(filepath.Join(dist, "mybin"), 0755))
+	var binPath = filepath.Join(dist, "mybin", "mybin")
+	_, err = os.Create(binPath)
+	require.NoError(t, err)
+	var ctx = context.New(config.Project{
+		ProjectName: "mybin",
+		Dist:        dist,
+		NFPMs: []config.NFPM{
+			{
+				ID:      "someid",
+				Builds:  []string{"default"},
+				Formats: []string{"deb"},
+				NFPMOverridables: config.NFPMOverridables{
+					PackageName: "foo",
+					Files: map[string]string{
+						"./testdata/testfile.txt": "/usr/share/testfile.txt",
+					},
+					Deb: config.NFPMDeb{
+						Signature: config.NFPMDebSignature{
+							KeyFile: "./testdata/privkey.gpg",
+						},
+					},
+				},
+			},
+		},
+	})
+	ctx.Version = "1.0.0"
+	ctx.Git = context.GitInfo{CurrentTag: "v1.0.0"}
+	for _, goos := range []string{"linux", "darwin"} {
+		for _, goarch := range []string{"amd64", "386"} {
+			ctx.Artifacts.Add(&artifact.Artifact{
+				Name:   "mybin",
+				Path:   binPath,
+				Goarch: goarch,
+				Goos:   goos,
+				Type:   artifact.Binary,
+				Extra: map[string]interface{}{
+					"ID": "default",
+				},
+			})
+		}
+	}
+
+	t.Run("no passphrase set", func(t *testing.T) {
+		require.Contains(
+			t,
+			Pipe{}.Run(ctx).Error(),
+			`key is encrypted but no passphrase was provided`,
+		)
+	})
+
+	t.Run("general passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+
+	t.Run("packager specific passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_DEB_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+}
+
+func TestRPMSpecificConfig(t *testing.T) {
+	folder, err := ioutil.TempDir("", "archivetest")
+	require.NoError(t, err)
+	var dist = filepath.Join(folder, "dist")
+	require.NoError(t, os.Mkdir(dist, 0755))
+	require.NoError(t, os.Mkdir(filepath.Join(dist, "mybin"), 0755))
+	var binPath = filepath.Join(dist, "mybin", "mybin")
+	_, err = os.Create(binPath)
+	require.NoError(t, err)
+	var ctx = context.New(config.Project{
+		ProjectName: "mybin",
+		Dist:        dist,
+		NFPMs: []config.NFPM{
+			{
+				ID:      "someid",
+				Builds:  []string{"default"},
+				Formats: []string{"rpm"},
+				NFPMOverridables: config.NFPMOverridables{
+					PackageName: "foo",
+					Files: map[string]string{
+						"./testdata/testfile.txt": "/usr/share/testfile.txt",
+					},
+					RPM: config.NFPMRPM{
+						Signature: config.NFPMRPMSignature{
+							KeyFile: "./testdata/privkey.gpg",
+						},
+					},
+				},
+			},
+		},
+	})
+	ctx.Version = "1.0.0"
+	ctx.Git = context.GitInfo{CurrentTag: "v1.0.0"}
+	for _, goos := range []string{"linux", "darwin"} {
+		for _, goarch := range []string{"amd64", "386"} {
+			ctx.Artifacts.Add(&artifact.Artifact{
+				Name:   "mybin",
+				Path:   binPath,
+				Goarch: goarch,
+				Goos:   goos,
+				Type:   artifact.Binary,
+				Extra: map[string]interface{}{
+					"ID": "default",
+				},
+			})
+		}
+	}
+
+	t.Run("no passphrase set", func(t *testing.T) {
+		require.Contains(
+			t,
+			Pipe{}.Run(ctx).Error(),
+			`key is encrypted but no passphrase was provided`,
+		)
+	})
+
+	t.Run("general passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+
+	t.Run("packager specific passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_RPM_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+}
+
+func TestAPKSpecificConfig(t *testing.T) {
+	folder, err := ioutil.TempDir("", "archivetest")
+	require.NoError(t, err)
+	var dist = filepath.Join(folder, "dist")
+	require.NoError(t, os.Mkdir(dist, 0755))
+	require.NoError(t, os.Mkdir(filepath.Join(dist, "mybin"), 0755))
+	var binPath = filepath.Join(dist, "mybin", "mybin")
+	_, err = os.Create(binPath)
+	require.NoError(t, err)
+	var ctx = context.New(config.Project{
+		ProjectName: "mybin",
+		Dist:        dist,
+		NFPMs: []config.NFPM{
+			{
+				ID:         "someid",
+				Maintainer: "me@me",
+				Builds:     []string{"default"},
+				Formats:    []string{"apk"},
+				NFPMOverridables: config.NFPMOverridables{
+					PackageName: "foo",
+					Files: map[string]string{
+						"./testdata/testfile.txt": "/usr/share/testfile.txt",
+					},
+					APK: config.NFPMAPK{
+						Signature: config.NFPMAPKSignature{
+							KeyFile: "./testdata/rsa.priv",
+						},
+					},
+				},
+			},
+		},
+	})
+	ctx.Version = "1.0.0"
+	ctx.Git = context.GitInfo{CurrentTag: "v1.0.0"}
+	for _, goos := range []string{"linux", "darwin"} {
+		for _, goarch := range []string{"amd64", "386"} {
+			ctx.Artifacts.Add(&artifact.Artifact{
+				Name:   "mybin",
+				Path:   binPath,
+				Goarch: goarch,
+				Goos:   goos,
+				Type:   artifact.Binary,
+				Extra: map[string]interface{}{
+					"ID": "default",
+				},
+			})
+		}
+	}
+
+	t.Run("no passphrase set", func(t *testing.T) {
+		require.Contains(
+			t,
+			Pipe{}.Run(ctx).Error(),
+			`key is encrypted but no passphrase was provided`,
+		)
+	})
+
+	t.Run("general passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+
+	t.Run("packager specific passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_APK_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+}
+
 func TestSeveralNFPMsWithTheSameID(t *testing.T) {
 	var ctx = &context.Context{
 		Config: config.Project{
diff --git a/internal/pipe/nfpm/testdata/privkey.gpg b/internal/pipe/nfpm/testdata/privkey.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..5a657cf10bee7c78d21436c3b73ca89864049b92
GIT binary patch
literal 2932
zcmajfX*d*$9tQB)GDEVAW$e+23?@sC42`8l8H{~TAxd_JkX@D;ktOR1F~&|9YnDv5
z?4ivTj#0@-4B5Gz=RW72kN4aEd7uCL@%^QPdm*=MKOX>L0ICU*yjgQQ)TqtKHa=|=
zB)Dm7<zJ}fOPKyvFdGwSM{XPq&(f2y>aS}~Y<XznIFhrM@m!0mVe*8wXEt??XEJ~C
z+vt~sBOz{M$GQe;u-Soz60Fi4XhzfATV=Sg^QV{DHd?-c{!k-y$1;5zW`{Lal&(cW
zTMoEULxGqxx0S33>#mQYd}cS}x>D_@3x5S?4DDv$!RL>6X^+a=K4DDr3>H8bOrZJ2
zpqp`v`r_OZhfFU}Oxt6jFvecvE+t#36)P|wvXAnOM$hqRV!zr{E{mOC-!deVYr$fd
zU0EEwQ)V2~<5|J=GZ#|AHZ^C;zc5eXHZFun-a*L#xPbuR5fltUG@1&9YB|d<DXKU*
z7xXE`kr3-Nw_v82@7g%lj8i5GD=e>2nrErH@Z))c?Hu`vWr-(xK`I`}uO42T-pEu)
zGm<+-RCVVJUkx!+ju`tY?`b1+Y`(9z0VnYMNq&geMS0P9F6O)+FQ>>>DK~3XE&*b+
zs|cg^$WCF^XQL$xofZD+m;JKJ@%2^O{*Nqd2ggpz^W@y{tR)`6sr<xCT*6E8pIy`&
z#-smep49#B*MH04<Ee33$@!V?i=7n~4|DW%^c-@YYFBxNJj3Eb17va7n?1qr5(LsK
z#8%(wm3S9yC~Ci~N%#;k_pLG$?p|@rQKvY|Dg5Y7-wTyM6YJ&miIe-M92mWo_wDz<
zwMW|~j~PkqMH^~9HI=|^C~^yGFzK@=CrD+uz@9|AGhN#yv^tiOPczA){6=YYD=nM>
zh&@hu6Tx!6#RergG#OjeQ4sXllA=Ug2pqqfn0}1lUPlR-h0>sg_uH>%c#m*n6+Sk8
z`N6wjQa85c{Iqrm^y%D3rt;jjU1on9AXFFc!85D&N{oY6Zgs)GI}V>&<KC<4wL_@b
znLu@$vQAmOo}IU5w&isu`H7#@Q42p^{hd7m7cZ0h>8Ik9!4Efhc*{VABuUdyE&#$w
z@Ot_%YrrD=`T~f?_jSC0?8Vz^=Ey0lcF-Y3>N!XBz*rhOU}x;;Vz($ATi_(@#K;)9
z;Vh*8=SA>}rvh)orRtnP-kfglB!R>y*Y&g40z?(%Yi5zUlJ=L|Q}sLFou!N_eMGUy
zk5R*Qyt5n`6n0%Jv6p?45~=4t5`Gw<No7b9tO+7~6sj_%ypm!g^-Mzosu30wHd9a>
zLw$ORnNSdt7C`!951WPbnU{Tb8K^Rly%x`EoTyJQ;HuQYY_JWn&9rGK=zpr)Xv$lV
zHE6FF_jK|05GOeM5yah`gTyudzO<YJ9X!0<ozYHS9#|sK5W@3&=NI`UAhBNV(J!g=
zw8$ztt&KGNj;}p}dIIz}1R&w_Cr+}$pdc1LHdfe45QHBD27<(ZAVdU!jg{-4=MgFB
zAtJToXub^Xss6d>;mz|wZIHM$ndIShmTLtckBJ#~^q;x3PUX+u7mD8tH+OWVRWy6h
zq~!0QU#_f`+SP{%MH6ja&<!^!?ms32*u6>wJ>-FhVdU(H)2-8|$R|8tk44*kbE{=^
zB#Ll`bl2u9^<w=XEmqM*Uh_jyl7$Gu%}FS?$_IN!^-Sz9tqEz477-~47kuKbNkqh}
zE>ZC9sTah(OUFA*C^pJ^>TA!r@C|%(t+=AV+sMPBI&TrdOcUYOML)XFL?`8y^}ZCb
z7mq85Mm0*YxY~4t=oC8C<|*7)RbsP}EOg(U-mov5qA>BH{sJ~Pq+MZpj*l3G+<)!-
z0o;`lVO;|jy1)LpwFMk-iD;wlKj{{Usp;0)**}XL{L2HGCTdzgH<*<Rpj&1^!!ON|
zKG?@TuT*~vvv;wQP#(>Xcm<}!iQkb>-0IpfHY)b}WYYkMY`zRGHm78WUY_*ggtyo}
zJep52!8{6^lJEb{qCF!l@`jbSa?P?rqd&$H14qW%l$}x3tKWLfwiD#SUMZXP0)>Os
zqLrGKuVYh`*K#N-v2jU#!kI!d2Ht6TQ@WakoXF|ZQ}7@;$3Fsc=007v5j&r9t`+?l
z_ldRn&rO4Z1r&R^lwBgUjyI0Z3%*{*+nj04mw~s&fJINcn0_Qaz>X;q0C=AN*{LN-
zj}B6%o>(%yB|0sR)gN6+;#kK`vp$jZe0+5Gw!E@iq72+Ynx<T1%&?QW-@;uiHnF^X
z%S?fB-PX4%wG_;Ru(+<d(l?80I9z=Wn$9fmoPVOC$Ids!ezM>dUzL1C`LP$B>s9|S
z8NQwCA^g5VYFq|b15e>Lldi98L+UsSKkY3I6Wvr}_&0BNUH?Vps+xTU2n4Ap^5)-*
zzNnu4;1>3aYt7L7iqUtW9%KFeqeA<kQ%JWPo%VhHO0-aBJ<@m}#eOGHbbGj5cCn<F
ze>KzfmrN0XO6k={ZKT{u?e!Bh2Oy=(b-5=IHBt8v0j95FE;*nzwlK$wbo5IeoPQb@
z0rVl?c$->1OEDNyy+#Pcq+uSYM+$NjkzgonVCjZp%h)hmFPqaRYgG1hB3o<JWh`V3
zLmXY?s_=Srw8=<#)h2Ou@=Sc1Zu$am)atl|!sjh|_Fi3Adb-ip6!#F<G@vL<MJ`|@
zq`BEZf|H=wR7+ChsMc9``4(6xLMc{F*pn0Q3@-i(1Lgv*^pK2!{Ib+)mTtpLnn_h9
zfM{3Tx#7exnvkgC*Tu+WB(srsES$K9ODF>x@pGV?B|flWLocMGeu{$>Vh`hbd%h1J
zWc@yxao>Sc!)$D~3&gHXYt)oAm|GPRsJU^`Ont`Vr>n|KsgR<4?z9KTvi`g9zasEn
zgXT9eI-Bx*JY<E?DHn&6HY5nX`N{im{hsC&x2d`M8s|V$l`CH}h6cd>w-e|q+?43p
zNX6M|;;2(nOlQcc9(2x*5;R;TdBQO1ZVU_LX_GmcD8zKH;dH3+6-+$O<$H;r8I{X3
zUpoK#K(r~6H6v>uaTWNryixzpnT;r&q}&gy^W4cVeBifT+}{l6_jb#B-oWOV2v`hj
zGI>aOCsWa$Z|$RrAa{tsZyCk^kBn%b*1rOF62u{bze}ROONg#UCpv^WsGuw@l$D%p
zu#bL2`Y)${oB2;N76Aj~P7<8(2e_@CgC1`;r0G-ZMB^fDa`29M2pCrOnn$5N`HM91
z1Ixb0HTYXIm7u$MoQBaU`?i5SG4{{=4?!0m->ZG{Ud6W2np(E7jMz=pa=a%&3TMM9
zkF<B)WR!M{pqC4f2%kgz#s=@4=JPD4$x0zo#m^9jyJ}3mS~E$dfi$akDRw4^2>+(=
zl&TR-u?1ztR$$gjc(-03wZ5X8miTrq^R5s^R-irL#iOFL;uU#<2iPgHy36~5Lyzs|
zuyGwR?G`-8h3m?y9I<lqwTqc$Ie@m3iGz&ucAIRr4T6!GNh+!<R_AxsKeEgvg<qK6
z*vF|!Uv==lKfN0D;4=(B`G(%X3Uav*K99{}=ylp#sod=%W%a$Oi^@r+WpY~BSQu+8
zO7&NyRwEk~2m2dS_LAV~qZlY6c=t4O<P6@S%w3n(7T@Gt=?l?meJc=Mk^I_FBXX(o
z1KQU&pcV(G?oL`b2DgI>hfc6V8|FK<vf3Uixp6x4%S!l8FJZV)A{+*#oaJ4*HjW(^
zMl=#Hk$>Lc$3uK>09|inXRXF>C)_fVqKy5jc)Ea!orL;r73xKR3uN7}bRUNa0oBp1
z+lqP0IQVB1fWQCCPQt{)=fX?K&A6dY#<NMG%?I8c-`}rltkrj-K93vGSIOX9><)8e
P)Z9u+{jTl@R;B*{b(MFe

literal 0
HcmV?d00001

diff --git a/internal/pipe/nfpm/testdata/rsa.priv b/internal/pipe/nfpm/testdata/rsa.priv
new file mode 100644
index 00000000000..6c15579ca2a
--- /dev/null
+++ b/internal/pipe/nfpm/testdata/rsa.priv
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F681796F2F5F6592720D154E441631AF
+
+U4aCJ0bGTN+/l162THI8CQdVmn62QX7+CxGOrxz8vbPOcMic8ppBD/h4lcUmca1L
+B3q9gBV+nM4KWOUjKDsmXJ7PeHrQJxR30RbGKGOP8WZSlf7oqICHX9WfjzsaLmMC
+zr7z7osO4DhW0nkr+CJATplKxjF5kry2jsBohmG7AJKVB6JRenpyz/icLrwfeywo
+dM1aZEw2Tm6Aso+un+rdmRxvYG5SEVLVh5M334MvOwhKHNGGfNOUJG38uym/sYXM
+WbBRyOUhQXabbuHlJdr5V7mnxm+KLi+hZQAIoRsFTS7tkIUpFjtvCS0RI0L6MtkL
+3N76xiW82n3SxrPdZdJCGy9AWor66QTmr25yTZpUJMYqpHaXc2pKqZOWZ/U0bAbA
+Oyf/CCTwI9lLT1a+CtGTHYTXHHKhQ9n1TI2FI4DRhnDcdDix2S/shF8aeu7mcKF1
+SqS8r+DTKzmbohUVa0/Ad9Z6R8Q1Ed+fl2/l0/eb3tI7c7hH+AxV+AqSAgLsZ1/T
+SQoIjUX4Kna0U2wLi7wEWlwrQQE2lugoJ2tOH6F33tEd4FFh4CjTw4LKKFEIgjPj
+yNKJ5CC+5jQPdyN/utR6Q+PNlxnT5jU02dAupdGfS/On2ecONmBKFCHHT+Sh3F21
+Q8zKZPKTUgIqG8JrjIaO1akjJqGgr6c0kefVTYpHEH3HNNkqUvzywIMR7IooPJrD
+XQYLMgTuE4ccJk7JN5OCHlSkTHPcrkuD6rRmi7v9zIOMEmwfkN0Ea3HgNJ/7W8gL
+mnv47HtwEuuXpyhyQ5xpaJcNWfSaUvSHBr33Ni8rDL2iJu22zEeZXlOU1t4h7wCA
+VGd3GBk4n5PILABwILDWKP16bvB3I491QK6m7LehawJNMGDC4Yk379Havcl6BzSX
+Rs6NOFcAGyM0VS97HYj3ju7fecdvFwmd86CA92CoK6JbafsQ6o/sOZOhxnrg6nLu
+bS26TPwLoqNHrAzg2vTLosbiG3ezge7VuL2GBbQcZm4SsotNLbfpZIhn3JV9/Ivg
+rkiUNOEExd52+VImeAJ15Pl6lOb2uAdXwZNsPXfBbanfc5qoggJJlU/xCnQyrPNW
+xCi2y3+SQjjlEqdoQbmEEHrU4zzOSj505qDz/Md18W/aih5n1VdzI7Z1YeMAzlpe
+X7cGHrQD83AsAtWWv5af5qkHCRYn3fQDGf4svJprsbYxz7e8oAoyjXpKPVbfZcfk
+hqlR0T7yN91upFwHhq8q3ZY/CLsZbLecT28M3G7NgE+LtrF0bKcPrDfOCeWyyVBN
+wtxPB0P62Nr4jHs5GVO5D1qyCiDMLsS3mwSz3IZn2xf0pit7+O2uu5yIUeGhUN8k
+1Y4RwZyGf1e5y7Ulhb5OAbeDYtUTnvgWOqwj5grmACQhhWmKiXX6qUHHn54xyC9P
+Yn5f0jdGGVRKINgA+KsipDs3OjMY0D9Dyx3ao646wX+1ypNkUq+hZhykuKlTgqi6
+29LdVwXTbcYjc25hbIj9TrXZS7swmwtUhpLwtFyjqrCSMjHW6f6n27Vq8cvL788L
+7SbWmpZlxaZA2lj3yjjYnY2bSQBfmA45fF7tBZfHq/ObWFbpvCOU5LMwKjffoPpC
+-----END RSA PRIVATE KEY-----
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 7959f299e23..8fb2a9b40d0 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -323,6 +323,71 @@ type NFPMScripts struct {
 	PostRemove  string `yaml:"postremove,omitempty"`
 }
 
+type NFPMRPMSignature struct {
+	// PGP secret key, can be ASCII-armored
+	KeyFile       string `yaml:"key_file,omitempty"`
+	KeyPassphrase string `yaml:"-"` // populated from environment variable
+}
+
+// NFPMRPM is custom configs that are only available on RPM packages.
+type NFPMRPM struct {
+	Group       string `yaml:"group,omitempty"`
+	Compression string `yaml:"compression,omitempty"`
+	// https://www.cl.cam.ac.uk/~jw35/docs/rpm_config.html
+	ConfigNoReplaceFiles map[string]string `yaml:"config_noreplace_files,omitempty"`
+	Signature            NFPMRPMSignature  `yaml:"signature,omitempty"`
+}
+
+// NFPMDebScripts is scripts only available on deb packages.
+type NFPMDebScripts struct {
+	Rules     string `yaml:"rules,omitempty"`
+	Templates string `yaml:"templates,omitempty"`
+}
+
+// NFPMDebTriggers contains triggers only available for deb packages.
+// https://wiki.debian.org/DpkgTriggers
+// https://man7.org/linux/man-pages/man5/deb-triggers.5.html
+type NFPMDebTriggers struct {
+	Interest        []string `yaml:"interest,omitempty"`
+	InterestAwait   []string `yaml:"interest_await,omitempty"`
+	InterestNoAwait []string `yaml:"interest_noawait,omitempty"`
+	Activate        []string `yaml:"activate,omitempty"`
+	ActivateAwait   []string `yaml:"activate_await,omitempty"`
+	ActivateNoAwait []string `yaml:"activate_noawait,omitempty"`
+}
+
+// NFPMDebSignature contains config for signing deb packages created by nfpm.
+type NFPMDebSignature struct {
+	// PGP secret key, can be ASCII-armored
+	KeyFile       string `yaml:"key_file,omitempty"`
+	KeyPassphrase string `yaml:"-"` // populated from environment variable
+	// origin, maint or archive (defaults to origin)
+	Type string `yaml:"type,omitempty"`
+}
+
+// NFPMDeb is custom configs that are only available on deb packages.
+type NFPMDeb struct {
+	Scripts         NFPMDebScripts   `yaml:"scripts,omitempty"`
+	Triggers        NFPMDebTriggers  `yaml:"triggers,omitempty"`
+	Breaks          []string         `yaml:"breaks,omitempty"`
+	VersionMetadata string           `yaml:"metadata,omitempty"` // Deprecated: Moved to Info
+	Signature       NFPMDebSignature `yaml:"signature,omitempty"`
+}
+
+// NFPMAPKSignature contains config for signing apk packages created by nfpm.
+type NFPMAPKSignature struct {
+	// RSA private key in PEM format
+	KeyFile       string `yaml:"key_file,omitempty"`
+	KeyPassphrase string `yaml:"-"` // populated from environment variable
+	// defaults to <maintainer email>.rsa.pub
+	KeyName string `yaml:"key_name,omitempty"`
+}
+
+// NFPMAPK is custom config only available on apk packages.
+type NFPMAPK struct {
+	Signature NFPMAPKSignature `yaml:"signature,omitempty"`
+}
+
 // NFPMOverridables is used to specify per package format settings.
 type NFPMOverridables struct {
 	FileNameTemplate string            `yaml:"file_name_template,omitempty"`
@@ -338,6 +403,9 @@ type NFPMOverridables struct {
 	Files            map[string]string `yaml:",omitempty"`
 	ConfigFiles      map[string]string `yaml:"config_files,omitempty"`
 	Scripts          NFPMScripts       `yaml:"scripts,omitempty"`
+	RPM              NFPMRPM           `yaml:"rpm,omitempty"`
+	Deb              NFPMDeb           `yaml:"deb,omitempty"`
+	APK              NFPMAPK           `yaml:"apk,omitempty"`
 }
 
 // Sign config.
diff --git a/www/docs/customization/nfpm.md b/www/docs/customization/nfpm.md
index f72ae1349d3..a906f6198b3 100644
--- a/www/docs/customization/nfpm.md
+++ b/www/docs/customization/nfpm.md
@@ -156,6 +156,83 @@ nfpms:
           "tmp/app_generated.conf": "/etc/app-rpm.conf"
         scripts:
           preinstall: "scripts/preinstall-rpm.sh"
+
+    # Custon configuration applied only to the RPM packager.
+    rpm:
+      # The package group. This option is deprecated by most distros
+      # but required by old distros like CentOS 5 / EL 5 and earlier.
+      group: Unspecified
+
+      # Compression algorithm.
+      compression: lzma
+
+      # These config files will not be replaced by new versions if they were
+      # changed by the user. Corresponds to %config(noreplace).
+      config_noreplace_files:
+        path/to/local/bar.con: /etc/bar.conf
+
+      # The package is signed if a key_file is set
+      signature:
+        # PGP secret key (can also be ASCII-armored). The passphrase is taken
+        # from the environment variable $NFPM_ID_RPM_PASSPHRASE with a fallback
+        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # The id will be transformed to uppercase.
+        # E.g. If your nfpm id is 'default' then the rpm-specific passphrase
+        # should be set as $NFPM_DEFAULT_RPM_PASSPHRASE
+        key_file: key.gpg
+
+    # Custom configuration applied only to the Deb packager.
+    deb:
+      # Custom deb rules script.
+      scripts:
+        rules: foo.sh
+        # Deb templates file, when using debconf.
+        templates: templates
+
+      # Custom deb triggers
+      triggers:
+        # register interrest on a trigger activated by another package
+        # (also available: interest_await, interest_noawait)
+        interest:
+          - some-trigger-name
+        # activate a trigger for another package
+        # (also available: activate_await, activate_noawait)
+        activate:
+          - another-trigger-name
+
+      # Packages which would break if this package would be installed.
+      # The installation of this package is blocked if `some-package`
+      # is already installed.
+      breaks:
+        - some-package
+
+      # The package is signed if a key_file is set
+      signature:
+        # PGP secret key (can also be ASCII-armored). The passphrase is taken
+        # from the environment variable $NFPM_ID_DEB_PASSPHRASE with a fallback
+        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # The id will be transformed to uppercase.
+        # E.g. If your nfpm id is 'default' then the deb-specific passphrase
+        # should be set as $NFPM_DEFAULT_DEB_PASSPHRASE
+        key_file: key.gpg
+        # The type describes the signers role, possible values are "origin",
+        # "maint" and "archive". If unset, the type defaults to "origin".
+        type: origin
+
+    apk:
+      # The package is signed if a key_file is set
+      signature:
+        # RSA private key in the PEM format. The passphrase is taken
+        # from the environment variable $NFPM_ID_APK_PASSPHRASE with a fallback
+        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # The id will be transformed to uppercase.
+        # E.g. If your nfpm id is 'default' then the deb-specific passphrase
+        # should be set as $NFPM_DEFAULT_APK_PASSPHRASE
+        key_file: key.gpg
+        # The name of the signing key. When verifying a package, the signature
+        # is matched to the public key store in /etc/apk/keys/<key_name>.rsa.pub.
+        # If unset, it defaults to the maintainer email address.
+        key_name: origin
 ```
 
 !!! tip