New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems with signing artifacts in-place #1802
Comments
hmm, those all seem valid bugs, yes, thanks for reporting. The root cause, though, will be eventually fixed in goreleaser/nfpm#212 |
So the issues here are:
problem 2 is a little bit trickier to solve, and I'm not sure we should. in any case, we need to port the new nfpm options to goreleaser (signing), and it will solve both problem in this particular case at least. #1829 |
2 is also an issue for cmd: gon. If it is possible to skip the checksum file uploading, that would be great. |
problem 1 should be fixed on v0.166.0, can you try? |
you can disable the checksum stuff with checksum:
disable: true |
I'm trying to create a signing pipeline that will use
rpm --addsign
to sign RPM packages in-place.There are 2 problems:
rpm --addsign
command for all RPMs (which is correct), but also for thechecksums
file (which is unexpected and RPM fails to sign). If I remove 'ids' it will attempt to invoke the script on RPM, DEB, ZIP, TAR.GZ and checksums file (which I think is the correct behavior in terms of file selection).Q: why does selecting
rpm-packages
also include checksums?sign-checksum
runs before/in parallel to the first pipeline, but because files are being modified in-place, the checksums file it signs is no longer valid.Q: Is there a way to have checksums (re)generated after signing other artifacts and just before signing the actual checksums file?
I was able to workaround those issues by using a somewhat ugly script: https://github.com/kopia/kopia/blob/master/tools/sign.sh which ignores some files passed to it and regenerates checksums just before signing them. I don't know if this is intentional or by accident, but the checksums file is always passed last to the signing script, otherwise it would not work.
Please advise, I really hope there's a cleaner way to achieve signing in place without jumping through so many hoops.
(the full YAML file (with the workaround described) is in https://github.com/kopia/kopia/blob/master/.goreleaser.yml)
The text was updated successfully, but these errors were encountered: