Documentation
¶
Overview ¶
Package signing provides code signing for build artifacts.
Index ¶
- func NotarizeBinaries(ctx context.Context, fs io.Medium, cfg SignConfig, artifacts []Artifact) error
- func SignBinaries(ctx context.Context, fs io.Medium, cfg SignConfig, artifacts []Artifact) error
- func SignChecksums(ctx context.Context, fs io.Medium, cfg SignConfig, checksumFile string) error
- type Artifact
- type GPGConfig
- type GPGSigner
- type MacOSConfig
- type MacOSSigner
- type SignConfig
- type Signer
- type WindowsConfig
- type WindowsSigner
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NotarizeBinaries ¶
func NotarizeBinaries(ctx context.Context, fs io.Medium, cfg SignConfig, artifacts []Artifact) error
NotarizeBinaries notarizes macOS binaries if enabled.
func SignBinaries ¶
SignBinaries signs macOS binaries in the artifacts list. Only signs darwin binaries when running on macOS with a configured identity.
func SignChecksums ¶
SignChecksums signs the checksums file with GPG.
Types ¶
type Artifact ¶
Artifact represents a build output that can be signed. This mirrors build.Artifact to avoid import cycles.
type GPGConfig ¶
type GPGConfig struct {
Key string `yaml:"key"` // Key ID or fingerprint, supports $ENV
}
GPGConfig holds GPG signing configuration.
type GPGSigner ¶
type GPGSigner struct {
KeyID string
}
GPGSigner signs files using GPG.
func NewGPGSigner ¶
NewGPGSigner creates a new GPG signer.
type MacOSConfig ¶
type MacOSConfig struct {
Identity string `yaml:"identity"` // Developer ID Application: ...
Notarize bool `yaml:"notarize"` // Submit to Apple for notarization
AppleID string `yaml:"apple_id"` // Apple account email
TeamID string `yaml:"team_id"` // Team ID
AppPassword string `yaml:"app_password"` // App-specific password
}
MacOSConfig holds macOS codesign configuration.
type MacOSSigner ¶
type MacOSSigner struct {
// contains filtered or unexported fields
}
MacOSSigner signs binaries using macOS codesign.
func NewMacOSSigner ¶
func NewMacOSSigner(cfg MacOSConfig) *MacOSSigner
NewMacOSSigner creates a new macOS signer.
func (*MacOSSigner) Available ¶
func (s *MacOSSigner) Available() bool
Available checks if running on macOS with codesign and identity configured.
func (*MacOSSigner) Notarize ¶
Notarize submits binary to Apple for notarization and staples the ticket. This blocks until Apple responds (typically 1-5 minutes).
func (*MacOSSigner) ShouldNotarize ¶
func (s *MacOSSigner) ShouldNotarize() bool
ShouldNotarize returns true if notarization is enabled.
type SignConfig ¶
type SignConfig struct {
Enabled bool `yaml:"enabled"`
GPG GPGConfig `yaml:"gpg,omitempty"`
MacOS MacOSConfig `yaml:"macos,omitempty"`
Windows WindowsConfig `yaml:"windows,omitempty"`
}
SignConfig holds signing configuration from .core/build.yaml.
func DefaultSignConfig ¶
func DefaultSignConfig() SignConfig
DefaultSignConfig returns sensible defaults.
func (*SignConfig) ExpandEnv ¶
func (c *SignConfig) ExpandEnv()
ExpandEnv expands environment variables in config values.
type Signer ¶
type Signer interface {
// Name returns the signer's identifier.
Name() string
// Available checks if this signer can be used.
Available() bool
// Sign signs the artifact at the given path.
Sign(ctx context.Context, fs io.Medium, path string) error
}
Signer defines the interface for code signing implementations.
type WindowsConfig ¶
type WindowsConfig struct {
Certificate string `yaml:"certificate"` // Path to .pfx
Password string `yaml:"password"` // Certificate password
}
WindowsConfig holds Windows signtool configuration (placeholder).
type WindowsSigner ¶
type WindowsSigner struct {
// contains filtered or unexported fields
}
WindowsSigner signs binaries using Windows signtool (placeholder).
func NewWindowsSigner ¶
func NewWindowsSigner(cfg WindowsConfig) *WindowsSigner
NewWindowsSigner creates a new Windows signer.
func (*WindowsSigner) Available ¶
func (s *WindowsSigner) Available() bool
Available returns false (not yet implemented).
Source Files