Skip to content

feat: sign all macOS and Windows binaries in goreleaser

Stan Hurequested to merge
sh-gorelease-signatures into main

This commit builds on top of !2381 (merged). Ideally we would use goreleaser to build all binaries and extract what we need, but the open source version of goreleaser does not have the ability to split the build, sign, and publishing steps.

For now, we just use Docker-in-Docker to launch a code-signer image to sign both macOS and Windows binaries. That means we have to ensure the container has access to the required environment variables in order to sign the binaries.

Upgrade to code-signer v1.2.1 to obtain some of the improvements for simplifying the signing of binaries.

Related Issues

Relates to #1143 (closed)

How has this been tested?

In 82a9b05a, dropping the --skip=sign allows the signing to work with goreleaser. See https://gitlab.com/gitlab-org/cli/-/jobs/11358119242 for the results.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation
  • Chore (Related to CI or Packaging to platforms)
  • Test gap
Edited by Timo Furrer

Merge request reports