signing

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2026 License: EUPL-1.2 Imports: 6 Imported by: 0

Documentation

Overview

Package signing provides code signing for build artifacts.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NotarizeBinaries 

func NotarizeBinaries(ctx context.Context, cfg SignConfig, artifacts []Artifact) error

NotarizeBinaries notarizes macOS binaries if enabled.

func SignBinaries 

func SignBinaries(ctx context.Context, cfg SignConfig, artifacts []Artifact) error

SignBinaries signs macOS binaries in the artifacts list. Only signs darwin binaries when running on macOS with a configured identity.

func SignChecksums 

func SignChecksums(ctx context.Context, cfg SignConfig, checksumFile string) error

SignChecksums signs the checksums file with GPG.

Types

type Artifact 

type Artifact struct {
	Path string
	OS   string
	Arch string
}

Artifact represents a build output that can be signed. This mirrors build.Artifact to avoid import cycles.

type GPGConfig 

type GPGConfig struct {
	Key string `yaml:"key"` // Key ID or fingerprint, supports $ENV
}

GPGConfig holds GPG signing configuration.

type GPGSigner 

type GPGSigner struct {
	KeyID string
}

GPGSigner signs files using GPG.

func NewGPGSigner 

func NewGPGSigner(keyID string) *GPGSigner

NewGPGSigner creates a new GPG signer.

func (*GPGSigner) Available 

func (s *GPGSigner) Available() bool

Available checks if gpg is installed and key is configured.

func (*GPGSigner) Name 

func (s *GPGSigner) Name() string

Name returns "gpg".

func (*GPGSigner) Sign 

func (s *GPGSigner) Sign(ctx context.Context, file string) error

Sign creates a detached ASCII-armored signature. For file.txt, creates file.txt.asc

type MacOSConfig 

type MacOSConfig struct {
	Identity    string `yaml:"identity"`     // Developer ID Application: ...
	Notarize    bool   `yaml:"notarize"`     // Submit to Apple for notarization
	AppleID     string `yaml:"apple_id"`     // Apple account email
	TeamID      string `yaml:"team_id"`      // Team ID
	AppPassword string `yaml:"app_password"` // App-specific password
}

MacOSConfig holds macOS codesign configuration.

type MacOSSigner 

type MacOSSigner struct {
	// contains filtered or unexported fields
}

MacOSSigner signs binaries using macOS codesign.

func NewMacOSSigner 

func NewMacOSSigner(cfg MacOSConfig) *MacOSSigner

NewMacOSSigner creates a new macOS signer.

func (*MacOSSigner) Available 

func (s *MacOSSigner) Available() bool

Available checks if running on macOS with codesign and identity configured.

func (*MacOSSigner) Name 

func (s *MacOSSigner) Name() string

Name returns "codesign".

func (*MacOSSigner) Notarize 

func (s *MacOSSigner) Notarize(ctx context.Context, binary string) error

Notarize submits binary to Apple for notarization and staples the ticket. This blocks until Apple responds (typically 1-5 minutes).

func (*MacOSSigner) ShouldNotarize 

func (s *MacOSSigner) ShouldNotarize() bool

ShouldNotarize returns true if notarization is enabled.

func (*MacOSSigner) Sign 

func (s *MacOSSigner) Sign(ctx context.Context, binary string) error

Sign codesigns a binary with hardened runtime.

type SignConfig 

type SignConfig struct {
	Enabled bool          `yaml:"enabled"`
	GPG     GPGConfig     `yaml:"gpg,omitempty"`
	MacOS   MacOSConfig   `yaml:"macos,omitempty"`
	Windows WindowsConfig `yaml:"windows,omitempty"`
}

SignConfig holds signing configuration from .core/build.yaml.

func DefaultSignConfig 

func DefaultSignConfig() SignConfig

DefaultSignConfig returns sensible defaults.

func (*SignConfig) ExpandEnv 

func (c *SignConfig) ExpandEnv()

ExpandEnv expands environment variables in config values.

type Signer 

type Signer interface {
	// Name returns the signer's identifier.
	Name() string
	// Available checks if this signer can be used.
	Available() bool
	// Sign signs the artifact at the given path.
	Sign(ctx context.Context, path string) error
}

Signer defines the interface for code signing implementations.

type WindowsConfig 

type WindowsConfig struct {
	Certificate string `yaml:"certificate"` // Path to .pfx
	Password    string `yaml:"password"`    // Certificate password
}

WindowsConfig holds Windows signtool configuration (placeholder).

type WindowsSigner 

type WindowsSigner struct {
	// contains filtered or unexported fields
}

WindowsSigner signs binaries using Windows signtool (placeholder).

func NewWindowsSigner 

func NewWindowsSigner(cfg WindowsConfig) *WindowsSigner

NewWindowsSigner creates a new Windows signer.

func (*WindowsSigner) Available 

func (s *WindowsSigner) Available() bool

Available returns false (not yet implemented).

func (*WindowsSigner) Name 

func (s *WindowsSigner) Name() string

Name returns "signtool".

func (*WindowsSigner) Sign 

func (s *WindowsSigner) Sign(ctx context.Context, binary string) error

Sign is a placeholder that does nothing.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.