How to use with goreleaser

I have been dabbling a bit with PGP, as I know it’s something that I use indirectly, but have some gaps in my knowledge. Recently, I started integrating goreleaser in some of my projects. Well, nifty enough is there is a place to add signing to it, which uses gpg by default:

# .goreleaser.yml
  # name of the signature file.
  # '${artifact}' is the path to the artifact that should be signed.
  # signature: "${artifact}.sig"

  # path to the signature command
  # cmd: gpg

  # command line arguments for the command
  # to sign with a specific key use
  # args: ["-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]
  # args: ["--output", "${signature}", "--detach-sign", "${artifact}"]

  # which artifacts to sign
  #   checksum: only checksum file(s)
  #   all:      all artifacts
  #   none:     no signing
  # artifacts: none

Well, this was easy enough to modify with a little change:

  cmd: keybase
  - sign
  - --infile
  - $artifact
  - --binary
  - --outfile
  - $signature
  - --detached
  signature: ${artifact}.sig
  artifacts: checksum

As a point of reference, I was able to find the command-line documentation for Keybase a welcome help:


   keybase sign -m "I hereby abdicate the throne"

   keybase sign -i foo.exe -b -o foo.exe.signed

Which, when run on a recent release, will produce a release with a signed file for the checksum itself:

trackello release v0.2.7