Update release signing configuration #35
Conversation
| - cmd: signore | ||
| args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"] | ||
| artifacts: checksum | ||
| signature: ${artifact}.sig |
There was a problem hiding this comment.
Ehm, I wonder if packer init will work with sig files🤔.
We would need to add a checksummer type here:
There was a problem hiding this comment.
Goreleaser will generate the SHA256SUM checksum file. The signore project will sign the generated SHA256SUM file and create the .sig file, which is binary. The created binary file is the same as if we were using the gpg command except signore is a hosted service for signing.
Looking at the checksum code for Packer init, I see it reads the file and then parses the checksum against the hash for the plugin. If we wanted to check the sig file we would want to include a gpg verify process into the init step. This is not needed at this time. In the future it might be worth looking into.
There was a problem hiding this comment.
Ah, I see, super cool, thanks for the explanation ! LGTM then !!
This PR updates the release signing to use the internal HashiCorp signing service (signore).
Update secrets before merging:
Added SIGNORE_CLIENT_ID
Added SIGNORE_CLIENT_SECRET
Added SIGNORE_SIGNER