feat: templateable nfpm key files

internal/pipe/nfpm/nfpm.go

@@ -140,6 +140,21 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 		return err
 	}
 
+	debKeyFile, err := tmpl.Apply(overridden.Deb.Signature.KeyFile)
+	if err != nil {
+		return err
+	}
+
+	rpmKeyFile, err := tmpl.Apply(overridden.RPM.Signature.KeyFile)
+	if err != nil {
+		return err
+	}
+
+	apkKeyFile, err := tmpl.Apply(overridden.APK.Signature.KeyFile)
+	if err != nil {
+		return err
+	}
+
 	contents := files.Contents{}
 	for _, content := range overridden.Contents {
 		src, err := tmpl.Apply(content.Source)
@@ -221,7 +236,7 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 				Breaks: overridden.Deb.Breaks,
 				Signature: nfpm.DebSignature{
 					PackageSignature: nfpm.PackageSignature{
-						KeyFile:       overridden.Deb.Signature.KeyFile,
+						KeyFile:       debKeyFile,
 						KeyPassphrase: getPassphraseFromEnv(ctx, "DEB", fpm.ID),
 					},
 					Type: overridden.Deb.Signature.Type,
@@ -233,7 +248,7 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 				Compression: overridden.RPM.Compression,
 				Signature: nfpm.RPMSignature{
 					PackageSignature: nfpm.PackageSignature{
-						KeyFile:       overridden.RPM.Signature.KeyFile,
+						KeyFile:       rpmKeyFile,
 						KeyPassphrase: getPassphraseFromEnv(ctx, "RPM", fpm.ID),
 					},
 				},
@@ -245,7 +260,7 @@ func create(ctx *context.Context, fpm config.NFPM, format, arch string, binaries
 			APK: nfpm.APK{
 				Signature: nfpm.APKSignature{
 					PackageSignature: nfpm.PackageSignature{
-						KeyFile:       overridden.APK.Signature.KeyFile,
+						KeyFile:       apkKeyFile,
 						KeyPassphrase: getPassphraseFromEnv(ctx, "APK", fpm.ID),
 					},
 					KeyName: overridden.APK.Signature.KeyName,

internal/pipe/nfpm/nfpm_test.go

@@ -189,7 +189,7 @@ func TestRunPipe(t *testing.T) {
 	require.Len(t, ctx.Config.NFPMs[0].Contents, 5, "should not modify the config file list")
 }
 
-func TestInvalidNameTemplate(t *testing.T) {
+func TestInvalidTemplate(t *testing.T) {
 	makeCtx := func() *context.Context {
 		ctx := &context.Context{
 			Version:     "1.2.3",
@@ -261,6 +261,24 @@ func TestInvalidNameTemplate(t *testing.T) {
 		ctx.Config.NFPMs[0].Homepage = "{{ .NOPE_HOMEPAGE }}"
 		require.Contains(t, Pipe{}.Run(ctx).Error(), `template: tmpl:1:3: executing "tmpl" at <.NOPE_HOMEPAGE>: map has no entry for key "NOPE_HOMEPAGE"`)
 	})
+
+	t.Run("deb key file", func(t *testing.T) {
+		ctx := makeCtx()
+		ctx.Config.NFPMs[0].Deb.Signature.KeyFile = "{{ .NOPE_KEY_FILE }}"
+		require.Contains(t, Pipe{}.Run(ctx).Error(), `template: tmpl:1:3: executing "tmpl" at <.NOPE_KEY_FILE>: map has no entry for key "NOPE_KEY_FILE"`)
+	})
+
+	t.Run("rpm key file", func(t *testing.T) {
+		ctx := makeCtx()
+		ctx.Config.NFPMs[0].RPM.Signature.KeyFile = "{{ .NOPE_KEY_FILE }}"
+		require.Contains(t, Pipe{}.Run(ctx).Error(), `template: tmpl:1:3: executing "tmpl" at <.NOPE_KEY_FILE>: map has no entry for key "NOPE_KEY_FILE"`)
+	})
+
+	t.Run("apk key file", func(t *testing.T) {
+		ctx := makeCtx()
+		ctx.Config.NFPMs[0].APK.Signature.KeyFile = "{{ .NOPE_KEY_FILE }}"
+		require.Contains(t, Pipe{}.Run(ctx).Error(), `template: tmpl:1:3: executing "tmpl" at <.NOPE_KEY_FILE>: map has no entry for key "NOPE_KEY_FILE"`)
+	})
 }
 
 func TestRunPipeInvalidContentsSourceTemplate(t *testing.T) {

www/docs/customization/nfpm.md

@@ -270,13 +270,14 @@ nfpms:
 
       # The package is signed if a key_file is set
       signature:
-        # PGP secret key (can also be ASCII-armored). The passphrase is taken
-        # from the environment variable $NFPM_ID_RPM_PASSPHRASE with a fallback
-        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # Template to the PGP secret key file path (can also be ASCII-armored).
+        # The passphrase is taken from the environment variable
+        # `$NFPM_ID_RPM_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
+        # where ID is the id of the current nfpm config.
         # The id will be transformed to uppercase.
         # E.g. If your nfpm id is 'default' then the rpm-specific passphrase
-        # should be set as $NFPM_DEFAULT_RPM_PASSPHRASE
-        key_file: key.gpg
+        # should be set as `$NFPM_DEFAULT_RPM_PASSPHRASE`
+        key_file: '{{ .Env.GPG_KEY_PATH }}'
 
     # Custom configuration applied only to the Deb packager.
     deb:
@@ -306,13 +307,15 @@ nfpms:
 
       # The package is signed if a key_file is set
       signature:
-        # PGP secret key (can also be ASCII-armored). The passphrase is taken
-        # from the environment variable $NFPM_ID_DEB_PASSPHRASE with a fallback
-        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # Template to the PGP secret key file path (can also be ASCII-armored).
+        # The passphrase is taken from the environment variable
+        # `$NFPM_ID_DEB_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
+        # where ID is the id of the current nfpm config.
         # The id will be transformed to uppercase.
         # E.g. If your nfpm id is 'default' then the deb-specific passphrase
-        # should be set as $NFPM_DEFAULT_DEB_PASSPHRASE
-        key_file: key.gpg
+        # should be set as `$NFPM_DEFAULT_DEB_PASSPHRASE`
+        key_file: '{{ .Env.GPG_KEY_PATH }}'
+
         # The type describes the signers role, possible values are "origin",
         # "maint" and "archive". If unset, the type defaults to "origin".
         type: origin
@@ -327,13 +330,16 @@ nfpms:
 
       # The package is signed if a key_file is set
       signature:
-        # RSA private key in the PEM format. The passphrase is taken
-        # from the environment variable $NFPM_ID_APK_PASSPHRASE with a fallback
-        # to $NFPM_ID_PASSPHRASE, where ID is the id of the current nfpm config.
+        # Template to the PGP secret key file path (can also be ASCII-armored).
+        # The passphrase is taken from the environment variable
+        # `$NFPM_ID_APK_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
+        # where ID is the id of the current nfpm config.
         # The id will be transformed to uppercase.
-        # E.g. If your nfpm id is 'default' then the deb-specific passphrase
-        # should be set as $NFPM_DEFAULT_APK_PASSPHRASE
-        key_file: key.gpg
+        # E.g. If your nfpm id is 'default' then the apk-specific passphrase
+        # should be set as `$NFPM_DEFAULT_APK_PASSPHRASE`
+        key_file: '{{ .Env.GPG_KEY_PATH }}'
+
+
         # The name of the signing key. When verifying a package, the signature
         # is matched to the public key store in /etc/apk/keys/<key_name>.rsa.pub.
         # If unset, it defaults to the maintainer email address.