goreleaser · caarlos0 · Jun 26, 2023 · Jun 23, 2023 · Jun 23, 2023 · Jun 23, 2023
diff --git a/acceptance_test.go b/acceptance_test.go
@@ -261,18 +261,17 @@ func TestDebSpecific(t *testing.T) {
 
 func TestRPMSign(t *testing.T) {
 	t.Parallel()
-	for _, os := range []string{"centos9", "centos8", "fedora34", "fedora36"} {
+	for _, os := range []string{"centos9", "centos8", "fedora34", "fedora36", "fedora38"} {
 		os := os
 		t.Run(fmt.Sprintf("rpm/amd64/sign/%s", os), func(t *testing.T) {
 			t.Parallel()
-			target := "signed"
 			accept(t, acceptParms{
 				Name:   fmt.Sprintf("sign_%s_amd64", os),
 				Conf:   "core.signed.yaml",
 				Format: "rpm",
 				Docker: dockerParams{
 					File:   fmt.Sprintf("rpm_%s.dockerfile", os),
-					Target: target,
+					Target: "signed",
 					Arch:   "amd64",
 				},
 			})

diff --git a/go.mod b/go.mod
@@ -2,13 +2,11 @@ module github.com/goreleaser/nfpm/v2
 
 go 1.19
 
-// DO NOT UPDATE THIS!! needs to be v0.0.0-20210512092938-c05353c2d58c
-require github.com/ProtonMail/go-crypto v0.0.0-20210512092938-c05353c2d58c
-
 require (
 	github.com/AlekSi/pointer v1.2.0
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/ProtonMail/gopenpgp/v2 v2.2.2
+	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec
+	github.com/ProtonMail/gopenpgp/v2 v2.7.1
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/caarlos0/go-rpmutils v0.2.1-0.20211112020245-2cd62ff89b11
 	github.com/cavaliergopher/cpio v1.0.1
@@ -34,7 +32,8 @@ require (
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/Microsoft/go-winio v0.5.1 // indirect
-	github.com/ProtonMail/go-mime v0.0.0-20190923161245-9b5a4261663a // indirect
+	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
@@ -57,13 +56,12 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xanzy/ssh-agent v0.3.1 // indirect
 	gitlab.com/digitalxero/go-conventional-commit v1.0.7 // indirect
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/internal/sign/pgp.go b/internal/sign/pgp.go
@@ -16,12 +16,6 @@ import (
 	"github.com/goreleaser/nfpm/v2"
 )
 
-// PGPSigner returns a PGP signer that creates a detached non-ASCII-armored
-// signature and is compatible with rpmpack's signature API.
-func PGPSigner(keyFile, passphrase string) func([]byte) ([]byte, error) {
-	return PGPSignerWithKeyID(keyFile, passphrase, nil)
-}
-
 // PGPSignerWithKeyID returns a PGP signer that creates a detached non-ASCII-armored
 // signature and is compatible with rpmpack's signature API.
 func PGPSignerWithKeyID(keyFile, passphrase string, hexKeyID *string) func([]byte) ([]byte, error) {
@@ -38,11 +32,15 @@ func PGPSignerWithKeyID(keyFile, passphrase string, hexKeyID *string) func([]byt
 
 		var signature bytes.Buffer
 
-		err = openpgp.DetachSign(&signature, key, bytes.NewReader(data), &packet.Config{
-			SigningKeyId: keyID,
-			DefaultHash:  crypto.SHA256,
-		})
-		if err != nil {
+		if err := openpgp.DetachSign(
+			&signature,
+			key,
+			bytes.NewReader(data),
+			&packet.Config{
+				SigningKeyId: keyID,
+				DefaultHash:  crypto.SHA256,
+			},
+		); err != nil {
 			return nil, &nfpm.ErrSigningFailure{Err: err}
 		}
 

diff --git a/internal/sign/pgp_test.go b/internal/sign/pgp_test.go
@@ -102,7 +102,7 @@ func TestArmoredDetachSignAndVerify(t *testing.T) {
 }
 
 func TestPGPSignerError(t *testing.T) {
-	_, err := PGPSigner("/does/not/exist", "")([]byte("data"))
+	_, err := PGPSignerWithKeyID("/does/not/exist", "", nil)([]byte("data"))
 	require.Error(t, err)
 
 	var expectedError *nfpm.ErrSigningFailure

diff --git a/rpm/rpm.go b/rpm/rpm.go
@@ -121,7 +121,11 @@ func (*RPM) Package(info *nfpm.Info, w io.Writer) (err error) {
 	}
 
 	if info.RPM.Signature.KeyFile != "" {
-		rpm.SetPGPSigner(sign.PGPSignerWithKeyID(info.RPM.Signature.KeyFile, info.RPM.Signature.KeyPassphrase, info.RPM.Signature.KeyID))
+		rpm.SetPGPSigner(sign.PGPSignerWithKeyID(
+			info.RPM.Signature.KeyFile,
+			info.RPM.Signature.KeyPassphrase,
+			info.RPM.Signature.KeyID,
+		))
 	}
 
 	if err = createFilesInsideRPM(info, rpm); err != nil {

diff --git a/testdata/acceptance/core.signed.yaml b/testdata/acceptance/core.signed.yaml
@@ -7,8 +7,8 @@ description: This package is signed
 vendor: "FooBarCorp"
 homepage: "http://example.com"
 contents:
-- src: ./testdata/fake
-  dst: /usr/bin/fake
+  - src: ./testdata/fake
+    dst: /usr/bin/fake
 deb:
   signature:
     key_file: ./internal/sign/testdata/privkey_unprotected.asc

diff --git a/testdata/acceptance/rpm_centos8.dockerfile b/testdata/acceptance/rpm_centos8.dockerfile
@@ -1,20 +1,18 @@
 FROM quay.io/centos/centos:stream8 AS test_base
 ARG package
+RUN yum install -y createrepo yum-utils
 RUN echo "${package}"
 COPY ${package} /tmp/foo.rpm
 
-# ---- signed test ----
 FROM test_base AS signed
 COPY keys/pubkey.asc /tmp/pubkey.asc
 RUN rpm --import /tmp/pubkey.asc
 RUN rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
-RUN rpm -K /tmp/foo.rpm
-RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 RUN rpm -vK /tmp/foo.rpm
 RUN rpm -vK /tmp/foo.rpm | grep "RSA/SHA256 Signature, key ID 15bd80b3: OK"
+RUN rpm -K /tmp/foo.rpm
+RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 
-# Test with a repo
-RUN yum install -y createrepo yum-utils
 RUN rm -rf /etc/yum.repos.d/*.repo
 COPY keys/test.rpm.repo /etc/yum.repos.d/test.rpm.repo
 RUN createrepo /tmp

diff --git a/testdata/acceptance/rpm_centos9.dockerfile b/testdata/acceptance/rpm_centos9.dockerfile
@@ -1,20 +1,18 @@
 FROM quay.io/centos/centos:stream9 AS test_base
+RUN yum install -y createrepo yum-utils
 ARG package
 RUN echo "${package}"
 COPY ${package} /tmp/foo.rpm
 
-# ---- signed test ----
 FROM test_base AS signed
 COPY keys/pubkey.asc /tmp/pubkey.asc
 RUN rpm --import /tmp/pubkey.asc
 RUN rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
-RUN rpm -K /tmp/foo.rpm
-RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 RUN rpm -vK /tmp/foo.rpm
 RUN rpm -vK /tmp/foo.rpm | grep "RSA/SHA256 Signature, key ID 15bd80b3: OK"
+RUN rpm -K /tmp/foo.rpm
+RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 
-# Test with a repo
-RUN yum install -y createrepo yum-utils
 RUN rm -rf /etc/yum.repos.d/*.repo
 COPY keys/test.rpm.repo /etc/yum.repos.d/test.rpm.repo
 RUN createrepo /tmp

diff --git a/testdata/acceptance/rpm_fedora34.dockerfile b/testdata/acceptance/rpm_fedora34.dockerfile
@@ -1,20 +1,18 @@
 FROM fedora:34 AS test_base
+RUN yum install -y createrepo yum-utils
 ARG package
 RUN echo "${package}"
 COPY ${package} /tmp/foo.rpm
 
-# ---- signed test ----
 FROM test_base AS signed
 COPY keys/pubkey.asc /tmp/pubkey.asc
 RUN rpm --import /tmp/pubkey.asc
 RUN rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
-RUN rpm -K /tmp/foo.rpm
-RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 RUN rpm -vK /tmp/foo.rpm
 RUN rpm -vK /tmp/foo.rpm | grep "RSA/SHA256 Signature, key ID 15bd80b3: OK"
+RUN rpm -K /tmp/foo.rpm
+RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 
-# Test with a repo
-RUN yum install -y createrepo yum-utils
 RUN rm -rf /etc/yum.repos.d/*.repo
 COPY keys/test.rpm.repo /etc/yum.repos.d/test.rpm.repo
 RUN createrepo /tmp

diff --git a/testdata/acceptance/rpm_fedora36.dockerfile b/testdata/acceptance/rpm_fedora36.dockerfile
@@ -1,20 +1,18 @@
 FROM fedora:36 AS test_base
+RUN yum install -y createrepo yum-utils
 ARG package
 RUN echo "${package}"
 COPY ${package} /tmp/foo.rpm
 
-# ---- signed test ----
 FROM test_base AS signed
 COPY keys/pubkey.asc /tmp/pubkey.asc
 RUN rpm --import /tmp/pubkey.asc
 RUN rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
-RUN rpm -K /tmp/foo.rpm
-RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 RUN rpm -vK /tmp/foo.rpm
 RUN rpm -vK /tmp/foo.rpm | grep "RSA/SHA256 Signature, key ID 15bd80b3: OK"
+RUN rpm -K /tmp/foo.rpm
+RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
 
-# Test with a repo
-RUN yum install -y createrepo yum-utils
 RUN rm -rf /etc/yum.repos.d/*.repo
 COPY keys/test.rpm.repo /etc/yum.repos.d/test.rpm.repo
 RUN createrepo /tmp

diff --git a/testdata/acceptance/rpm_fedora38.dockerfile b/testdata/acceptance/rpm_fedora38.dockerfile
@@ -0,0 +1,20 @@
+FROM fedora:38 AS test_base
+RUN yum install -y createrepo yum-utils
+ARG package
+RUN echo "${package}"
+COPY ${package} /tmp/foo.rpm
+
+FROM test_base AS signed
+COPY keys/pubkey.asc /tmp/pubkey.asc
+RUN rpm --import /tmp/pubkey.asc
+RUN rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
+RUN rpm -vK /tmp/foo.rpm
+RUN rpm -vK /tmp/foo.rpm | grep "RSA/SHA256 Signature, key ID 15bd80b3: OK"
+RUN rpm -K /tmp/foo.rpm
+RUN rpm -K /tmp/foo.rpm | grep -E "(?:pgp|digests signatures) OK"
+
+RUN rm -rf /etc/yum.repos.d/*.repo
+COPY keys/test.rpm.repo /etc/yum.repos.d/test.rpm.repo
+RUN createrepo /tmp
+RUN yum install -y foo
+