Struct SignConfig

Source

pub struct SignConfig {
    pub id: Option<String>,
    pub artifacts: Option<String>,
    pub cmd: Option<String>,
    pub args: Option<Vec<String>>,
    pub signature: Option<String>,
    pub stdin: Option<String>,
    pub stdin_file: Option<String>,
    pub ids: Option<Vec<String>>,
    pub env: Option<Vec<String>>,
    pub certificate: Option<String>,
    pub output: Option<StringOrBool>,
    pub if_condition: Option<String>,
}

Fields§

§id: Option<String>

Unique identifier for this sign config.

§artifacts: Option<String>

Artifact types to sign: “all”, “archive”, “binary”, “checksum”, “package”, “sbom” (default: “none”).

§cmd: Option<String>

Signing command to invoke (default: “cosign” or “gpg”).

§args: Option<Vec<String>>

Arguments passed to the signing command (supports templates with ${artifact} and ${signature}).

§signature: Option<String>

Signature output filename template (supports templates).

§stdin: Option<String>

Content written to the signing command’s stdin.

§stdin_file: Option<String>

Path to a file whose content is written to the signing command’s stdin.

§ids: Option<Vec<String>>

Build IDs filter: only sign artifacts from builds whose id is in this list.

§env: Option<Vec<String>>

Environment variables passed to the signing command.

§certificate: Option<String>

Certificate file to embed in the signature (Cosign bundle signing).

§output: Option<StringOrBool>

Capture and log stdout/stderr of the signing command. Accepts bool or template string (e.g., “{{ .IsSnapshot }}”).

§if_condition: Option<String>

Template-conditional: skip this sign config if rendered result is “false” or empty.

Implementations§

Source §

impl SignConfig

Source

pub const DEFAULT_ID: &'static str = "default"

Default id when a sign config has none. Mirrors GoReleaser internal/pipe/sign/sign.go (cfg.ID = "default"). Used to label log lines and uniqueness-error messages.

Source

pub const DEFAULT_ARTIFACTS: &'static str = "none"

Default artifacts filter for top-level signs:[]. Mirrors GoReleaser sign.go (cfg.Artifacts = "none") — by default nothing is signed unless the user opts in.

Source

pub const DEFAULT_ARTIFACTS_BINARY: &'static str = "binary"

Default artifacts filter for binary_signs:[]. The binary-only driver always restricts the artifact-kind filter to binaries even when the user leaves artifacts: unset. Anodize-specific helper (no GoReleaser equivalent — GR uses a different config type for binary signing) but kept on SignConfig because anodize unifies signs[] and binary_signs[] into one struct.

Source

pub const DEFAULT_SIGNATURE_TEMPLATE: &'static str = "{{ .Artifact }}.sig"

Default signature template for top-level signs:[]. Mirrors GoReleaser sign.go (cfg.Signature = "${artifact}.sig"). Anodize uses Tera-style {{ .Artifact }} placeholders that the arg-resolver rewrites to the same path at execution time.

Source

pub const DEFAULT_BINARY_SIGNATURE_TEMPLATE: &'static str = "{{ .Artifact }}.sig"

Default signature template for binary_signs:[].

Intentionally diverges from GoReleaser sign_binary.go:16: GR stores binaries under per-target subdirectories (dist/linux_amd64/binname), so its template appends _{{ .Os }}_{{ .Arch }} to the bare binary name without collision. Anodize uses a flat dist/ layout where stage-build already names binaries with the platform suffix (myapp_linux_amd64, myapp_darwin_arm64, etc.). Appending Os/Arch again would produce myapp_linux_amd64_linux_amd64 with no .sig extension — a double-suffix bug.

The correct default for anodize’s layout is {{ .Artifact }}.sig — identical to DEFAULT_SIGNATURE_TEMPLATE. Binary names are already unique per target, so no collision risk exists. Users who want an explicit per-target suffix can set signature: in binary_signs:.

Source

pub const DEFAULT_ARGS: &[&'static str]

Default args for top-level signs:[]. Mirrors GoReleaser sign.go (["--output", "$signature", "--detach-sig", "$artifact"]). Anodize substitutes $signature / $artifact for {{ .Signature }} / {{ .Artifact }} Tera placeholders that the arg-resolver rewrites; the wire-level invocation matches GR exactly.

Source

pub fn resolved_id(&self) -> &str

Resolve the sign-config id, falling back to "default" (GoReleaser-canonical).

Source

pub fn resolved_artifacts<'a>(&'a self, fallback: &'a str) -> &'a str

Resolve the artifacts filter, falling back to the supplied fallback (Self::DEFAULT_ARTIFACTS for signs[], Self::DEFAULT_ARTIFACTS_BINARY for binary_signs[]).

Source

pub fn resolved_signature_template<'a>(&'a self, default: &'a str) -> &'a str

Resolve the signature template, falling back to the supplied default (Self::DEFAULT_SIGNATURE_TEMPLATE for signs[], Self::DEFAULT_BINARY_SIGNATURE_TEMPLATE for binary_signs[]).

Source

pub fn resolved_args(&self) -> Vec<String>

Resolve args, materializing the Self::DEFAULT_ARGS const into a Vec<String> when the user left args: unset. Returns a clone of the user-supplied list otherwise.

Source

pub fn is_gpg(&self) -> bool

true when this sign config will invoke gpg.

The top-level signs: driver defaults to gpg when cmd: is unset (see stage-sign::helpers::default_sign_cmd which falls back to git config gpg.program then to literal "gpg"). We treat any cmd whose basename starts with gpg (e.g., gpg, gpg2, /usr/local/bin/gpg) as a gpg invocation. A cmd of "cosign", "notation", etc. returns false.