diff --git a/acceptance_test.go b/acceptance_test.go index 3f1a2fc9..8576e54f 100644 --- a/acceptance_test.go +++ b/acceptance_test.go @@ -318,30 +318,25 @@ func TestRPMSign(t *testing.T) { func TestDebSign(t *testing.T) { t.Parallel() for _, arch := range formatArchs["deb"] { - for _, sigtype := range []string{"dpkg-sig", "debsign"} { - func(t *testing.T, testSigtype, testArch string) { - t.Run(fmt.Sprintf("deb/%s/%s", testArch, testSigtype), func(t *testing.T) { - t.Parallel() - target := "signed" - if testSigtype == "dpkg-sig" { - target = "dpkg-signed" - } - if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" { - t.Skip("ppc64le arch not supported in pipeline") - } - accept(t, acceptParms{ - Name: fmt.Sprintf("%s_sign_%s", testSigtype, testArch), - Conf: fmt.Sprintf("deb.%s.sign.yaml", testSigtype), - Format: "deb", - Docker: dockerParams{ - File: "deb.dockerfile", - Target: target, - Arch: testArch, - }, - }) + func(t *testing.T, testArch string) { + t.Run(fmt.Sprintf("deb/%s", testArch), func(t *testing.T) { + t.Parallel() + target := "signed" + if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" { + t.Skip("ppc64le arch not supported in pipeline") + } + accept(t, acceptParms{ + Name: "debsign_sign_" + testArch, + Conf: "deb.debsign.sign.yaml", + Format: "deb", + Docker: dockerParams{ + File: "deb.dockerfile", + Target: target, + Arch: testArch, + }, }) - }(t, sigtype, arch) - } + }) + }(t, arch) } } diff --git a/nfpm.go b/nfpm.go index 180c2e16..d957a511 100644 --- a/nfpm.go +++ b/nfpm.go @@ -442,8 +442,8 @@ type Deb struct { type DebSignature struct { PackageSignature `yaml:",inline" json:",inline"` - // debsign, or dpkg-sig (defaults to debsign) - Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,enum=dpkg-sig,default=debsign"` + // Only debsign still supported + Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,default=debsign"` // origin, maint or archive (defaults to origin) Type string `yaml:"type,omitempty" json:"type,omitempty" jsonschema:"title=signer role,enum=origin,enum=maint,enum=archive,default=origin"` Signer string `yaml:"signer,omitempty" json:"signer,omitempty" jsonschema:"title=signer"` diff --git a/testdata/acceptance/deb.dockerfile b/testdata/acceptance/deb.dockerfile index 420c2a41..ed801b6d 100644 --- a/testdata/acceptance/deb.dockerfile +++ b/testdata/acceptance/deb.dockerfile @@ -1,4 +1,4 @@ -FROM debian:11 AS test_base +FROM debian:trixie AS test_base ARG package RUN echo "${package}" COPY ${package} /tmp/foo.deb @@ -85,14 +85,6 @@ RUN debsig-verify /tmp/foo.deb | grep "debsig: Verified package from 'Test packa RUN echo "" > /etc/dpkg/dpkg.cfg RUN dpkg -i /tmp/foo.deb -# ---- signed dpkg-sig test ---- -FROM test_base AS dpkg-signed -RUN apt update -y -RUN apt install -y dpkg-sig -# TODO: we should properly check the signature here, not sure how to do so. -RUN dpkg-sig --verify /tmp/foo.deb | grep "UNKNOWNSIG _gpgbuilder 15BD80B3" -RUN dpkg -i /tmp/foo.deb - # ---- overrides test ---- FROM min AS overrides RUN test -e /usr/bin/fake diff --git a/testdata/acceptance/deb.dpkg-sig.sign.yaml b/testdata/acceptance/deb.dpkg-sig.sign.yaml deleted file mode 100644 index fefb6928..00000000 --- a/testdata/acceptance/deb.dpkg-sig.sign.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: "foo" -arch: "${BUILD_ARCH}" -platform: "linux" -version: "v1.0.0" -maintainer: "John Doe " -description: This package is signed -vendor: "FooBarCorp" -homepage: "http://example.com" -contents: -- src: ./testdata/fake - dst: /usr/bin/fake -deb: - signature: - method: dpkg-sig - key_file: ./internal/sign/testdata/privkey_unprotected.asc diff --git a/www/docs/configuration.md b/www/docs/configuration.md index b47e16ce..4bc21d5f 100644 --- a/www/docs/configuration.md +++ b/www/docs/configuration.md @@ -413,6 +413,7 @@ deb: signature: # Signature method, either "dpkg-sig" or "debsign". # Defaults to "debsign" + # "dpkg-sig" is not supported in newer Debian versions. method: dpkg-sig # PGP secret key (can also be ASCII-armored). The passphrase is taken