Example GoReleaser project demonstrating nfpm package signing.
Generates signed .deb, .rpm, and .apk packages.
- deb/rpm are signed with a passphrase-protected GPG key.
- apk is signed with a passphrase-protected RSA PEM key.
./scripts/genkeys.shThis creates:
gpg.asc— armored GPG private key with the passphraseexample(for deb/rpm)apk.rsa— passphrase-protected RSA private key in PEM format (for apk)apk.rsa.pub— corresponding public key
You'll need to set the key contents and the password.
In our example, both keys have the same password, so we can:
gh secret set NFPM_DEFAULT_PASSPHRASE -b example
gh secret set GPG_KEY <./gpg.asc
gh secret set APK_KEY <./apk.rsa./scripts/genkeys.sh
NFPM_DEFAULT_PASSPHRASE=example goreleaser r --clean --snapshotNote
If you need different password for each format, you'll need to set
NFPM_{FORMAT}_PASSPHRASE instead.
Tag and push:
git tag v1.0.0
git push origin v1.0.0The release workflow writes both keys to disk,
which GoReleaser picks up via its configuration.
The GPG passphrase is provided through NFPM_DEFAULT_PASSPHRASE and the APK
key passphrase through NFPM_APK_PASSPHRASE.
Important
You should, of course, use your own keys in production, with a proper password.
GoReleaser resolves the signing passphrase from environment variables in this order:
NFPM_{APK,DEB,RPM}_PASSPHRASE(format-specific)NFPM_DEFAULT_PASSPHRASE(id-specific)NFPM_PASSPHRASE(global)
See the nfpm docs for full configuration reference.
After building, you can verify the packages are signed:
deb (a signed .deb contains a _gpgorigin member):
for f in dist/*.deb; do
echo "$f:"
ar t "$f" | grep _gpgorigin
donerpm:
docker run --rm -v "$PWD/dist:/dist" fedora:latest bash -c \
"rpm -qpi /dist/*.rpm | grep -i signature"apk (a signed .apk contains a .SIGN.RSA.* entry):
for f in dist/*.apk; do
echo "$f:"
tar -tzf "$f" | grep -i sign
done