Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems with signing artifacts in-place #1802

Closed
jkowalski opened this issue Sep 10, 2020 · 5 comments · Fixed by #2573
Closed

Problems with signing artifacts in-place #1802

jkowalski opened this issue Sep 10, 2020 · 5 comments · Fixed by #2573
Labels
bug Something isn't working hacktoberfest

Comments

@jkowalski
Copy link

jkowalski commented Sep 10, 2020
edited

I'm trying to create a signing pipeline that will use rpm --addsign to sign RPM packages in-place.

signs:
  - id: sign-rpm-packages
    cmd: rpm
    artifacts: all
    args: ["--addsign", "${artifact}"]
    ids:
    - rpm-packages
  - id: sign-checksum
    artifacts: checksum

There are 2 problems:

  1. Goreleaser appears to invoke the rpm --addsign command for all RPMs (which is correct), but also for the checksums file (which is unexpected and RPM fails to sign). If I remove 'ids' it will attempt to invoke the script on RPM, DEB, ZIP, TAR.GZ and checksums file (which I think is the correct behavior in terms of file selection).

Q: why does selecting rpm-packages also include checksums?

  1. The second pipeline sign-checksum runs before/in parallel to the first pipeline, but because files are being modified in-place, the checksums file it signs is no longer valid.

Q: Is there a way to have checksums (re)generated after signing other artifacts and just before signing the actual checksums file?

I was able to workaround those issues by using a somewhat ugly script: https://github.com/kopia/kopia/blob/master/tools/sign.sh which ignores some files passed to it and regenerates checksums just before signing them. I don't know if this is intentional or by accident, but the checksums file is always passed last to the signing script, otherwise it would not work.

Please advise, I really hope there's a cleaner way to achieve signing in place without jumping through so many hoops.

(the full YAML file (with the workaround described) is in https://github.com/kopia/kopia/blob/master/.goreleaser.yml)
@jkowalski jkowalski added the bug Something isn't working label Sep 10, 2020
@caarlos0
Copy link
Member

hmm, those all seem valid bugs, yes, thanks for reporting.

The root cause, though, will be eventually fixed in goreleaser/nfpm#212

@caarlos0
Copy link
Member

caarlos0 commented Oct 1, 2020

So the issues here are:

  1. need to be able to skip checksums from the sign pipe
  2. the problem with the checksums not being re-generated after signing

problem 2 is a little bit trickier to solve, and I'm not sure we should.
problem 1 is a bug indeed.

in any case, we need to port the new nfpm options to goreleaser (signing), and it will solve both problem in this particular case at least. #1829

@caarlos0 caarlos0 mentioned this issue Oct 10, 2020
Closed
@NorseGaud
Copy link

2 is also an issue for cmd: gon. If it is possible to skip the checksum file uploading, that would be great.

@caarlos0 caarlos0 mentioned this issue May 21, 2021
Merged
@caarlos0
Copy link
Member

problem 1 should be fixed on v0.166.0, can you try?

@caarlos0
Copy link
Member

2 is also an issue for cmd: gon. If it is possible to skip the checksum file uploading, that would be great.

you can disable the checksum stuff with

checksum:
  disable: true

@caarlos0 caarlos0 mentioned this issue Oct 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working hacktoberfest
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: auto-refresh checksums goreleaser/goreleaser
3 participants
@caarlos0 @jkowalski @NorseGaud