cmd/dist,release/dist: add distsign signing hooks (#9070)

Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-22 19:09:58 +00:00 · 2023-08-24 15:36:47 -06:00
parent dc8287ab3b
commit b42c4e2da1
7 changed files with 62 additions and 49 deletions
--- a/release/dist/dist.go
+++ b/release/dist/dist.go
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"log"
 	"os"
 	"os/exec"
@@ -29,6 +30,27 @@ type Target interface {
 	Build(build *Build) ([]string, error)
 }

+// Signer is pluggable signer for a Target.
+type Signer func(io.Reader) ([]byte, error)
+
+// SignFile signs the file at filePath with s and writes the signature to
+// sigPath.
+func (s Signer) SignFile(filePath, sigPath string) error {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	sig, err := s(f)
+	if err != nil {
+		return err
+	}
+	if err := f.Close(); err != nil {
+		return err
+	}
+	return os.WriteFile(sigPath, sig, 0644)
+}
+
 // A Build is a build context for Targets.
 type Build struct {
 	// Repo is a path to the root Go module for the build.