From 322c5d5c2f7736e5d5def2fd5ee6fc0dfc168aa7 Mon Sep 17 00:00:00 2001
From: Jonathan Lloyd <jonathan@thisisjonathan.com>
Date: Sun, 25 Oct 2020 20:00:51 +0000
Subject: [PATCH] Use env vars containing nfpm ids for deb pgp passphrase

---
 internal/pipe/nfpm/nfpm.go      | 22 +++++++++-
 internal/pipe/nfpm/nfpm_test.go | 71 +++++++++++++++++++++++++++++++++
 pkg/config/config.go            | 22 ----------
 3 files changed, 92 insertions(+), 23 deletions(-)

diff --git a/internal/pipe/nfpm/nfpm.go b/internal/pipe/nfpm/nfpm.go
index 93190557a29e..b50442852fe4 100644
--- a/internal/pipe/nfpm/nfpm.go
+++ b/internal/pipe/nfpm/nfpm.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/apex/log"
 	"github.com/goreleaser/nfpm"
@@ -189,7 +190,7 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 				VersionMetadata: overridden.Deb.VersionMetadata,
 				Signature: nfpm.DebSignature{
 					KeyFile:       overridden.Deb.Signature.KeyFile,
-					KeyPassphrase: overridden.Deb.Signature.KeyPassphrase,
+					KeyPassphrase: getPassphraseFromEnv(ctx, "DEB", fpm.ID),
 					Type:          overridden.Deb.Signature.Type,
 				},
 			},
@@ -234,3 +235,22 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 	})
 	return nil
 }
+
+func getPassphraseFromEnv(ctx *context.Context, packager string, nfpmID string) string {
+	var passphrase string
+
+	nfpmID = strings.ToUpper(nfpmID)
+	packagerSpecificPassphrase := ctx.Env[fmt.Sprintf(
+		"NFPM_%s_%s_PASSPHRASE",
+		nfpmID,
+		packager,
+	)]
+	if packagerSpecificPassphrase != "" {
+		passphrase = packagerSpecificPassphrase
+	} else {
+		generalPassphrase := ctx.Env[fmt.Sprintf("NFPM_%s_PASSPHRASE", nfpmID)]
+		passphrase = generalPassphrase
+	}
+
+	return passphrase
+}
diff --git a/internal/pipe/nfpm/nfpm_test.go b/internal/pipe/nfpm/nfpm_test.go
index a6cac11aac25..aa43dd36520b 100644
--- a/internal/pipe/nfpm/nfpm_test.go
+++ b/internal/pipe/nfpm/nfpm_test.go
@@ -347,6 +347,77 @@ func TestOverrides(t *testing.T) {
 	require.Equal(t, "bar", merged.FileNameTemplate)
 }
 
+func TestDebSpecificConfig(t *testing.T) {
+	folder, err := ioutil.TempDir("", "archivetest")
+	require.NoError(t, err)
+	var dist = filepath.Join(folder, "dist")
+	require.NoError(t, os.Mkdir(dist, 0755))
+	require.NoError(t, os.Mkdir(filepath.Join(dist, "mybin"), 0755))
+	var binPath = filepath.Join(dist, "mybin", "mybin")
+	_, err = os.Create(binPath)
+	require.NoError(t, err)
+	var ctx = context.New(config.Project{
+		ProjectName: "mybin",
+		Dist:        dist,
+		NFPMs: []config.NFPM{
+			{
+				ID:      "someid",
+				Builds:  []string{"default"},
+				Formats: []string{"deb"},
+				NFPMOverridables: config.NFPMOverridables{
+					PackageName: "foo",
+					Files: map[string]string{
+						"./testdata/testfile.txt": "/usr/share/testfile.txt",
+					},
+					Deb: config.NFPMDeb{
+						Signature: config.NFPMDebSignature{
+							KeyFile: "./testdata/privkey.gpg",
+						},
+					},
+				},
+			},
+		},
+	})
+	ctx.Version = "1.0.0"
+	ctx.Git = context.GitInfo{CurrentTag: "v1.0.0"}
+	for _, goos := range []string{"linux", "darwin"} {
+		for _, goarch := range []string{"amd64", "386"} {
+			ctx.Artifacts.Add(&artifact.Artifact{
+				Name:   "mybin",
+				Path:   binPath,
+				Goarch: goarch,
+				Goos:   goos,
+				Type:   artifact.Binary,
+				Extra: map[string]interface{}{
+					"ID": "default",
+				},
+			})
+		}
+	}
+
+	t.Run("no passphrase set", func(t *testing.T) {
+		require.Contains(
+			t,
+			Pipe{}.Run(ctx).Error(),
+			`key is encrypted but no passphrase was provided`,
+		)
+	})
+
+	t.Run("general passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_DEB_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+
+	t.Run("packager specific passphrase set", func(t *testing.T) {
+		ctx.Env = map[string]string{
+			"NFPM_SOMEID_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+}
+
 func TestSeveralNFPMsWithTheSameID(t *testing.T) {
 	var ctx = &context.Context{
 		Config: config.Project{
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 499a2578f867..0d9c296603d2 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -349,28 +349,6 @@ type NFPMDebSignature struct {
 	Type string `yaml:"type,omitempty"`
 }
 
-// type alias to prevent stack overflowing in the custom unmarshaler.
-type nfpmDebSignature NFPMDebSignature
-
-func (nds *NFPMDebSignature) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	var sig nfpmDebSignature
-	if err := unmarshal(&sig); err != nil {
-		return err
-	}
-
-	debPassphrase := os.Getenv("NFPM_DEB_PASSPHRASE")
-	if debPassphrase != "" {
-		sig.KeyPassphrase = debPassphrase
-	} else {
-		generalPassphrase := os.Getenv("NFPM_PASSPHRASE")
-		sig.KeyPassphrase = generalPassphrase
-	}
-
-	*nds = NFPMDebSignature(sig)
-
-	return nil
-}
-
 // NFPMDeb is custom configs that are only available on deb packages.
 type NFPMDeb struct {
 	Scripts         NFPMDebScripts   `yaml:"scripts,omitempty"`