Binaries & Archives
Sign artifacts with GPG or cosign
Anodizer can sign your release artifacts using GPG or cosign.
Minimal config
signs:
- artifacts: all
cmd: gpg
args: ["--batch", "--local-user", "{{ Env.GPG_KEY_ID }}", "--output", "${signature}", "--detach-sig", "${artifact}"]Sign config fields
| Field | Type | Default | Description |
|---|---|---|---|
id | string | none | Identifier for this signing config |
artifacts | string | none | What to sign: none, all, archive, binary, package, checksum |
cmd | string | — | Signing command (e.g., gpg, cosign) |
args | list | — | Arguments (supports templates; ${artifact} and ${signature} are special) |
signature | string | ${artifact}.sig | Signature file path template |
stdin | string | none | String to pipe to stdin |
stdin_file | string | none | File to pipe to stdin |
ids | list | none | Only sign artifacts matching these IDs |
Cosign example
signs:
- artifacts: checksum
cmd: cosign
args: ["sign-blob", "--key=cosign.key", "--output-signature=${signature}", "${artifact}"]Multiple signing configs
signs:
- id: gpg
artifacts: archive
cmd: gpg
args: ["--batch", "--detach-sig", "--output", "${signature}", "${artifact}"]
- id: cosign
artifacts: checksum
cmd: cosign
args: ["sign-blob", "--key=cosign.key", "--output-signature=${signature}", "${artifact}"]