cmd/dist,release/dist: add distsign signing hooks (#9070)

Add `dist.Signer` hook which can arbitrarily sign linux/synology artifacts. Plumb it through in `cmd/dist` and remove existing tarball signing key. Distsign signing will happen on a remote machine, not using a local key. Updates #755 Updates #8760 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2023-08-24 15:36:47 -06:00
parent dc8287ab3b
commit b42c4e2da1
7 changed files with 62 additions and 49 deletions
--- a/release/dist/unixpkgs/targets.go
+++ b/release/dist/unixpkgs/targets.go
@@ -4,9 +4,7 @@
 package unixpkgs

 import (
-	"crypto"
 	"fmt"
-	"io"
 	"sort"
 	"strings"

@@ -17,8 +15,8 @@ import (
 )

 type Signers struct {
-	Tarball crypto.Signer
-	RPM     func(io.Reader) ([]byte, error)
+	Tarball dist.Signer
+	RPM     dist.Signer
 }

 func Targets(signers Signers) []dist.Target {
@@ -49,7 +47,7 @@ func Targets(signers Signers) []dist.Target {
 				"GOOS":   goos,
 				"GOARCH": goarch,
 			},
-			signFn: signers.RPM,
+			signer: signers.RPM,
 		})
 	}