goreleaser · caarlos0 · Dec 17, 2023
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -139,6 +139,15 @@ tasks:
       - task: docs:generate
       - "mkdocs build -f www/mkdocs.yml"
 
+  schema:generate:
+    desc: Generate JSONSchema
+    cmds:
+      - go run ./cmd/nfpm/ schema -o ./www/docs/static/schema.json
+    sources:
+      - pkg/config/config.go
+    generates:
+      - ./www/docs/static/schema.json
+
   release:
     desc: Create a new tag
     vars:

diff --git a/acceptance_test.go b/acceptance_test.go
@@ -283,30 +283,25 @@ func TestRPMSign(t *testing.T) {
 func TestDebSign(t *testing.T) {
 	t.Parallel()
 	for _, arch := range formatArchs["deb"] {
-		for _, sigtype := range []string{"dpkg-sig", "debsign"} {
-			func(t *testing.T, testSigtype, testArch string) {
-				t.Run(fmt.Sprintf("deb/%s/%s", testArch, testSigtype), func(t *testing.T) {
-					t.Parallel()
-					target := "signed"
-					if testSigtype == "dpkg-sig" {
-						target = "dpkg-signed"
-					}
-					if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
-						t.Skip("ppc64le arch not supported in pipeline")
-					}
-					accept(t, acceptParms{
-						Name:   fmt.Sprintf("%s_sign_%s", testSigtype, testArch),
-						Conf:   fmt.Sprintf("deb.%s.sign.yaml", testSigtype),
-						Format: "deb",
-						Docker: dockerParams{
-							File:   "deb.dockerfile",
-							Target: target,
-							Arch:   testArch,
-						},
-					})
+		func(t *testing.T, testArch string) {
+			t.Run(fmt.Sprintf("deb/%s", testArch), func(t *testing.T) {
+				t.Parallel()
+				target := "signed"
+				if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
+					t.Skip("ppc64le arch not supported in pipeline")
+				}
+				accept(t, acceptParms{
+					Name:   fmt.Sprintf("debsign_sign_%s", testArch),
+					Conf:   fmt.Sprintf("deb.debsign.sign.yaml"),
+					Format: "deb",
+					Docker: dockerParams{
+						File:   "deb.dockerfile",
+						Target: target,
+						Arch:   testArch,
+					},
 				})
-			}(t, sigtype, arch)
-		}
+			})
+		}(t, arch)
 	}
 }
 

diff --git a/deb/deb.go b/deb/deb.go
@@ -7,7 +7,6 @@
 	"bytes"
 	"compress/gzip"
 	"crypto/md5" // nolint:gas
-	"crypto/sha1"
 	"errors"
 	"fmt"
 	"io"
@@ -157,35 +156,12 @@
 func doSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
 	switch info.Deb.Signature.Method {
 	case "dpkg-sig":
-		return dpkgSign(info, debianBinary, controlTarGz, dataTarball)
+		return nil, "", fmt.Errorf("this signature type is no longer supported, please use 'debsign' instead")
 	default:
 		return debSign(info, debianBinary, controlTarGz, dataTarball)
 	}
 }
 
-func dpkgSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
-	sigType := "builder"
-	if info.Deb.Signature.Type != "" {
-		sigType = info.Deb.Signature.Type
-	}
-
-	data, err := readDpkgSigData(info, debianBinary, controlTarGz, dataTarball)
-	if err != nil {
-		return nil, sigType, &nfpm.ErrSigningFailure{Err: err}
-	}
-
-	var sig []byte
-	if signFn := info.Deb.Signature.SignFn; signFn != nil {
-		sig, err = signFn(data)
-	} else {
-		sig, err = sign.PGPClearSignWithKeyID(data, info.Deb.Signature.KeyFile, info.Deb.Signature.KeyPassphrase, info.Deb.Signature.KeyID)
-	}
-	if err != nil {
-		return nil, sigType, &nfpm.ErrSigningFailure{Err: err}
-	}
-	return sig, sigType, nil
-}
-
 func debSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
 	data := readDebsignData(debianBinary, controlTarGz, dataTarball)
 
@@ -218,61 +194,6 @@
 		bytes.NewReader(dataTarball))
 }
 
-// reference: https://manpages.debian.org/jessie/dpkg-sig/dpkg-sig.1.en.html
-const dpkgSigTemplate = `
-Hash: SHA1
-
-Version: 4
-Signer: {{ .Signer }}
-Date: {{ .Date }}
-Role: {{ .Role }}
-Files:
-{{range .Files}}{{ .Md5Sum }} {{ .Sha1Sum }} {{ .Size }} {{ .Name }}{{end}}
-`
-
-type dpkgSigData struct {
-	Signer string
-	Date   time.Time
-	Role   string
-	Files  []dpkgSigFileLine
-	Info   *nfpm.Info
-}
-type dpkgSigFileLine struct {
-	Md5Sum  [16]byte
-	Sha1Sum [20]byte
-	Size    int
-	Name    string
-}
-
-func newDpkgSigFileLine(name string, fileContent []byte) dpkgSigFileLine {
-	return dpkgSigFileLine{
-		Name:    name,
-		Md5Sum:  md5.Sum(fileContent),
-		Sha1Sum: sha1.Sum(fileContent),
-		Size:    len(fileContent),
-	}
-}
-
-func readDpkgSigData(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) (io.Reader, error) {
-	data := dpkgSigData{
-		Signer: info.Deb.Signature.Signer,
-		Date:   info.MTime,
-		Role:   info.Deb.Signature.Type,
-		Files: []dpkgSigFileLine{
-			newDpkgSigFileLine("debian-binary", debianBinary),
-			newDpkgSigFileLine("control.tar.gz", controlTarGz),
-			newDpkgSigFileLine("data.tar.gz", dataTarball),
-		},
-	}
-	temp, _ := template.New("dpkg-sig").Parse(dpkgSigTemplate)
-	buf := &bytes.Buffer{}
-	err := temp.Execute(buf, data)
-	if err != nil {
-		return nil, fmt.Errorf("dpkg-sig template error: %w", err)
-	}
-	return buf, nil
-}
-
 func (*Deb) SetPackagerDefaults(info *nfpm.Info) {
 	// Priority should be set on all packages per:
 	//   https://www.debian.org/doc/debian-policy/ch-archive.html#priorities

diff --git a/deb/deb_test.go b/deb/deb_test.go
@@ -988,54 +988,6 @@ func TestDebsigsSignatureCallback(t *testing.T) {
 	require.NoError(t, err)
 }
 
-func TestDpkgSigSignature(t *testing.T) {
-	info := exampleInfo()
-	info.Deb.Signature.KeyFile = "../internal/sign/testdata/privkey.asc"
-	info.Deb.Signature.KeyPassphrase = "hunter2"
-	info.Deb.Signature.Method = "dpkg-sig"
-	info.Deb.Signature.Signer = "bob McRobert"
-
-	var deb bytes.Buffer
-	err := Default.Package(info, &deb)
-	require.NoError(t, err)
-
-	signature := extractFileFromAr(t, deb.Bytes(), "_gpgbuilder")
-
-	err = sign.PGPReadMessage(signature, "../internal/sign/testdata/pubkey.asc")
-	require.NoError(t, err)
-}
-
-func TestDpkgSigSignatureError(t *testing.T) {
-	info := exampleInfo()
-	info.Deb.Signature.KeyFile = "/does/not/exist"
-	info.Deb.Signature.Method = "dpkg-sig"
-
-	var deb bytes.Buffer
-	err := Default.Package(info, &deb)
-	require.Error(t, err)
-
-	var expectedError *nfpm.ErrSigningFailure
-	require.ErrorAs(t, err, &expectedError)
-}
-
-func TestDpkgSigSignatureCallback(t *testing.T) {
-	info := exampleInfo()
-	info.Deb.Signature.SignFn = func(r io.Reader) ([]byte, error) {
-		return sign.PGPClearSignWithKeyID(r, "../internal/sign/testdata/privkey.asc", "hunter2", nil)
-	}
-	info.Deb.Signature.Method = "dpkg-sig"
-	info.Deb.Signature.Signer = "bob McRobert"
-
-	var deb bytes.Buffer
-	err := Default.Package(info, &deb)
-	require.NoError(t, err)
-
-	signature := extractFileFromAr(t, deb.Bytes(), "_gpgbuilder")
-
-	err = sign.PGPReadMessage(signature, "../internal/sign/testdata/pubkey.asc")
-	require.NoError(t, err)
-}
-
 func TestDisableGlobbing(t *testing.T) {
 	info := exampleInfo()
 	info.DisableGlobbing = true

diff --git a/nfpm.go b/nfpm.go
@@ -413,8 +413,8 @@ type Deb struct {
 
 type DebSignature struct {
 	PackageSignature `yaml:",inline" json:",inline"`
-	// debsign, or dpkg-sig (defaults to debsign)
-	Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,enum=dpkg-sig,default=debsign"`
+	// debsign (defaults to debsign)
+	Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,default=debsign"`
 	// origin, maint or archive (defaults to origin)
 	Type   string `yaml:"type,omitempty" json:"type,omitempty" jsonschema:"title=signer role,enum=origin,enum=maint,enum=archive,default=origin"`
 	Signer string `yaml:"signer,omitempty" json:"signer,omitempty" jsonschema:"title=signer"`

diff --git a/testdata/acceptance/deb.dockerfile b/testdata/acceptance/deb.dockerfile
@@ -1,4 +1,4 @@
-FROM debian:11 AS test_base
+FROM debian AS test_base
 ARG package
 RUN echo "${package}"
 COPY ${package} /tmp/foo.deb
@@ -85,14 +85,6 @@ RUN debsig-verify /tmp/foo.deb | grep "debsig: Verified package from 'Test packa
 RUN echo "" > /etc/dpkg/dpkg.cfg
 RUN dpkg -i /tmp/foo.deb
 
-# ---- signed dpkg-sig test ----
-FROM test_base AS dpkg-signed
-RUN apt update -y
-RUN apt install -y dpkg-sig
-# TODO: we should properly check the signature here, not sure how to do so.
-RUN dpkg-sig --verify /tmp/foo.deb | grep "UNKNOWNSIG _gpgbuilder 15BD80B3"
-RUN dpkg -i /tmp/foo.deb
-
 # ---- overrides test ----
 FROM min AS overrides
 RUN test -e /usr/bin/fake
@@ -120,8 +112,8 @@ FROM min AS env-var-version
 ENV EXPECTVER=" Version: 1.0.0~0.1.b1+git.abcdefgh"
 RUN dpkg --info /tmp/foo.deb | grep "Version" > found
 RUN export FOUND_VER="$(cat found)" && \
-	echo "Expected: '${EXPECTVER}' :: Found: '${FOUND_VER}'" && \
-	test "${FOUND_VER}" = "${EXPECTVER}"
+  echo "Expected: '${EXPECTVER}' :: Found: '${FOUND_VER}'" && \
+  test "${FOUND_VER}" = "${EXPECTVER}"
 
 
 # ---- changelog test ----

diff --git a/testdata/acceptance/deb.dpkg-sig.sign.yaml b/testdata/acceptance/deb.dpkg-sig.sign.yaml
diff --git a/www/docs/configuration.md b/www/docs/configuration.md
@@ -397,9 +397,9 @@ deb:
 
   # The package is signed if a key_file is set
   signature:
-    # Signature method, either "dpkg-sig" or "debsign".
+    # Signature method.
     # Defaults to "debsign"
-    method: dpkg-sig
+    method: debsign
 
     # PGP secret key (can also be ASCII-armored). The passphrase is taken
     # from the environment variable $NFPM_DEB_PASSPHRASE with a fallback

diff --git a/www/docs/static/schema.json b/www/docs/static/schema.json