Merge pull request #99 from hashicorp/release-archive-signing

build: Sign archives checksum
hashicorp · May 14, 2020 · 7339e27 · 7339e27
2 parents 3b08916 + e0f01c8
commit 7339e27
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -29,13 +29,17 @@ jobs:
         id: codesign
         env:
           VERSION: v0
+      -
+        name: Import PGP key for archive signing
+        run: echo -e "${{ secrets.PGP_SIGNING_KEY }}" | gpg --import
       -
         name: Release
         uses: goreleaser/goreleaser-action@v1
         with:
           version: latest
-          args: release --skip-sign
+          args: release
         env:
+          PGP_USER_ID: ${{ secrets.PGP_USER_ID }}
           CODESIGN_IMAGE: ${{ steps.codesign.outputs.image }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -50,5 +50,10 @@ checksum:
   name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
   algorithm: sha256
 
+signs:
+  -
+    args: ["-u", "{{ .Env.PGP_USER_ID }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+    artifacts: checksum
+
 changelog:
   skip: true