# This is an example .goreleaser.yml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com project_name: step-ca before: hooks: # You may remove this if you don't use go modules. - go mod download builds: - id: step-ca env: - CGO_ENABLED=0 targets: - darwin_amd64 - darwin_arm64 - freebsd_amd64 - linux_386 - linux_amd64 - linux_arm64 - linux_arm_5 - linux_arm_6 - linux_arm_7 - windows_amd64 flags: - -trimpath main: ./cmd/step-ca/main.go binary: step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} archives: - # Can be used to change the archive formats for specific GOOSs. # Most common use case is to archive as zip on Windows. # Default is empty. name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" format_overrides: - goos: windows format: zip wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}" files: - README.md - LICENSE allow_different_binary_count: true nfpms: # Configure nFPM for .deb and .rpm releases # # See https://nfpm.goreleaser.com/configuration/ # and https://goreleaser.com/customization/nfpm/ # # Useful tools for debugging .debs: # List file contents: dpkg -c dist/step_...deb # Package metadata: dpkg --info dist/step_....deb # - builds: - step-ca package_name: step-ca file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" vendor: Smallstep Labs homepage: https://github.com/smallstep/certificates maintainer: Smallstep description: > step-ca is an online certificate authority for secure, automated certificate management. license: Apache 2.0 section: utils formats: - deb - rpm priority: optional bindir: /usr/bin contents: - src: debian/copyright dst: /usr/share/doc/step-ca/copyright source: enabled: true name_template: '{{ .ProjectName }}_{{ .Version }}' checksum: name_template: 'checksums.txt' extra_files: - glob: ./.releases/* signs: - cmd: cosign signature: "${artifact}.sig" certificate: "${artifact}.pem" args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"] artifacts: all snapshot: name_template: "{{ .Tag }}-next" release: # Repo in which the release will be created. # Default is extracted from the origin remote URL or empty if its private hosted. # Note: it can only be one: either github, gitlab or gitea github: owner: smallstep name: certificates # IDs of the archives to use. # Defaults to all. #ids: # - foo # - bar # If set to true, will not auto-publish the release. # Default is false. draft: false # If set to auto, will mark the release as not ready for production # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 # If set to true, will mark the release as not ready for production. # Default is false. prerelease: auto # You can change the name of the release. # Default is `{{.Tag}}` name_template: "Step CA {{ .Tag }} ({{ .Env.RELEASE_DATE }})" # Header template for the release body. # Defaults to empty. header: | ## Official Release Artifacts #### Linux - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz) - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb) #### OSX Darwin - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz) - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz) #### Windows - 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip) For more builds across platforms and architectures, see the `Assets` section below. And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation). Don't see the artifact you need? Open an issue [here](https://github.com/smallstep/certificates/issues/new/choose). ## Signatures and Checksums `step-ca` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying release artifacts. Below is an example using `cosign` to verify a release artifact: ``` COSIGN_EXPERIMENTAL=1 cosign verify-blob \ --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \ --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \ ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz ``` The `checksums.txt` file (in the `Assets` section below) contains a checksum for every artifact in the release. # Footer template for the release body. # Defaults to empty. footer: | ## Thanks! Those were the changes on {{ .Tag }}! Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes. # You can disable this pipe in order to not upload any artifacts. # Defaults to false. #disable: true # You can add extra pre-existing files to the release. # The filename on the release will be the last part of the path (base). If # another file with the same name exists, the latest one found will be used. # Defaults to empty. extra_files: - glob: ./.releases/* #extra_files: # - glob: ./path/to/file.txt # - glob: ./glob/**/to/**/file/**/* # - glob: ./glob/foo/to/bar/file/foobar/override_from_previous