diff --git a/internal/pipe/sign/sign.go b/internal/pipe/sign/sign.go index 0bfa07b4584..bffba548479 100644 --- a/internal/pipe/sign/sign.go +++ b/internal/pipe/sign/sign.go @@ -12,8 +12,10 @@ import ( "github.com/goreleaser/goreleaser/internal/logext" "github.com/goreleaser/goreleaser/internal/pipe" "github.com/goreleaser/goreleaser/internal/semerrgroup" + "github.com/goreleaser/goreleaser/internal/tmpl" "github.com/goreleaser/goreleaser/pkg/config" "github.com/goreleaser/goreleaser/pkg/context" + "github.com/pkg/errors" ) // Pipe for artifact signing. @@ -106,7 +108,12 @@ func signone(ctx *context.Context, cfg config.Sign, a *artifact.Artifact) (*arti // nolint:prealloc var args []string for _, a := range cfg.Args { - args = append(args, expand(a, env)) + var arg = expand(a, env) + arg, err := tmpl.New(ctx).WithEnv(env).Apply(arg) + if err != nil { + return nil, errors.Wrapf(err, "sign failed: %s: invalid template", a) + } + args = append(args, arg) } // The GoASTScanner flags this as a security risk. diff --git a/internal/pipe/sign/sign_test.go b/internal/pipe/sign/sign_test.go index e69498d4651..046adaea31e 100644 --- a/internal/pipe/sign/sign_test.go +++ b/internal/pipe/sign/sign_test.go @@ -101,6 +101,24 @@ func TestSignArtifacts(t *testing.T) { }, ), }, + { + desc: "invalid args template", + expectedErrMsg: `sign failed: ${FOO}-{{ .foo }{{}}{: invalid template: template: tmpl:1: unexpected "}" in operand`, + ctx: context.New( + config.Project{ + Signs: []config.Sign{ + { + Artifacts: "all", + Cmd: "exit", + Args: []string{"${FOO}-{{ .foo }{{}}{"}, + }, + }, + Env: []string{ + "FOO=BAR", + }, + }, + ), + }, { desc: "sign single", ctx: context.New( @@ -226,6 +244,31 @@ func TestSignArtifacts(t *testing.T) { signaturePaths: []string{"artifact1.sig", "artifact2.sig", "artifact3.sig", "checksum.sig", "checksum2.sig", "linux_amd64/artifact4.sig"}, signatureNames: []string{"artifact1.sig", "artifact2.sig", "artifact3_1.0.0_linux_amd64.sig", "checksum.sig", "checksum2.sig", "artifact4_1.0.0_linux_amd64.sig"}, }, + { + desc: "sign all artifacts with template", + ctx: context.New( + config.Project{ + Signs: []config.Sign{ + { + Artifacts: "all", + Args: []string{ + "-u", + "{{ .Env.SOME_TEST_USER }}", + "--output", + "${signature}", + "--detach-sign", + "${artifact}", + }, + }, + }, + Env: []string{ + fmt.Sprintf("SOME_TEST_USER=%s", user), + }, + }, + ), + signaturePaths: []string{"artifact1.sig", "artifact2.sig", "artifact3.sig", "checksum.sig", "checksum2.sig", "linux_amd64/artifact4.sig"}, + signatureNames: []string{"artifact1.sig", "artifact2.sig", "artifact3_1.0.0_linux_amd64.sig", "checksum.sig", "checksum2.sig", "artifact4_1.0.0_linux_amd64.sig"}, + }, } for _, test := range tests { diff --git a/www/content/sign.md b/www/content/sign.md index e114d379ac5..d0147f2f24b 100644 --- a/www/content/sign.md +++ b/www/content/sign.md @@ -47,13 +47,13 @@ signs: # defaults to `gpg` cmd: gpg2 - # command line arguments for the command + # command line templateable arguments for the command # # to sign with a specific key use # args: ["-u", "", "--output", "${signature}", "--detach-sign", "${artifact}"] # # defaults to `["--output", "${signature}", "--detach-sign", "${artifact}"]` - args: ["--output", "${signature}", "${artifact}"] + args: ["--output", "${signature}", "${artifact}", "{{ .ProjectName }}"] # which artifacts to sign