cmd/dist,release/dist: add distsign signing hooks (#9070)

Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2023-08-24 15:36:47 -06:00
parent dc8287ab3b
commit b42c4e2da1
7 changed files with 62 additions and 49 deletions
--- a/release/dist/unixpkgs/pkgs.go
+++ b/release/dist/unixpkgs/pkgs.go
@@ -7,9 +7,6 @@ package unixpkgs
 import (
 	"archive/tar"
 	"compress/gzip"
-	"crypto"
-	"crypto/rand"
-	"crypto/sha512"
 	"errors"
 	"fmt"
 	"io"
@@ -26,7 +23,7 @@ import (
 type tgzTarget struct {
 	filenameArch string // arch to use in filename instead of deriving from goEnv["GOARCH"]
 	goEnv        map[string]string
-	signer       crypto.Signer
+	signer       dist.Signer
 }

 func (t *tgzTarget) arch() string {
@@ -73,11 +70,7 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
 		return nil, err
 	}
 	defer f.Close()
-	// Hash the final output we're writing to the file, after tar and gzip
-	// writers did their thing.
-	h := sha512.New()
-	hw := io.MultiWriter(f, h)
-	gw := gzip.NewWriter(hw)
+	gw := gzip.NewWriter(f)
 	defer gw.Close()
 	tw := tar.NewWriter(gw)
 	defer tw.Close()
@@ -161,15 +154,11 @@ func (t *tgzTarget) Build(b *dist.Build) ([]string, error) {
 	files := []string{filename}

 	if t.signer != nil {
-		sig, err := t.signer.Sign(rand.Reader, h.Sum(nil), crypto.SHA512)
-		if err != nil {
+		outSig := out + ".sig"
+		if err := t.signer.SignFile(out, outSig); err != nil {
 			return nil, err
 		}
-		sigFilename := out + ".sig"
-		if err := os.WriteFile(sigFilename, sig, 0644); err != nil {
-			return nil, err
-		}
-		files = append(files, filename+".sig")
+		files = append(files, filepath.Base(outSig))
 	}

 	return files, nil
@@ -291,7 +280,7 @@ func (t *debTarget) Build(b *dist.Build) ([]string, error) {

 type rpmTarget struct {
 	goEnv  map[string]string
-	signFn func(io.Reader) ([]byte, error)
+	signer dist.Signer
 }

 func (t *rpmTarget) os() string {
@@ -387,7 +376,7 @@ func (t *rpmTarget) Build(b *dist.Build) ([]string, error) {
 				Group: "Network",
 				Signature: nfpm.RPMSignature{
 					PackageSignature: nfpm.PackageSignature{
-						SignFn: t.signFn,
+						SignFn: t.signer,
 					},
 				},
 			},
--- a/release/dist/unixpkgs/targets.go
+++ b/release/dist/unixpkgs/targets.go
@@ -4,9 +4,7 @@
 package unixpkgs

 import (
-	"crypto"
 	"fmt"
-	"io"
 	"sort"
 	"strings"

@@ -17,8 +15,8 @@ import (
 )

 type Signers struct {
-	Tarball crypto.Signer
-	RPM     func(io.Reader) ([]byte, error)
+	Tarball dist.Signer
+	RPM     dist.Signer
 }

 func Targets(signers Signers) []dist.Target {
@@ -49,7 +47,7 @@ func Targets(signers Signers) []dist.Target {
 				"GOOS":   goos,
 				"GOARCH": goarch,
 			},
-			signFn: signers.RPM,
+			signer: signers.RPM,
 		})
 	}