refactor build: Keep GPG-signatures outside of tarballs

Instead of signing the binary and adding the signature in the release tarball, keep the GPG-signatures *outside* of the tarball. This makes it easier to use the built-in GPG-signature verification features of package managers such as pacman.
tazjin · Aug 22, 2017 · e8cfa9c · e8cfa9c
1 parent a9c450c
commit e8cfa9c
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/build-release.sh b/build-release.sh
@@ -35,15 +35,15 @@ function sign-for() {
     local os="${1}"
     local arch="${2}"
     local target="release/${os}/${arch}"
-    local bin="${target}/kontemplate"
-    local hash="$(sha256sum ${bin})"
+    local bin=$(binary-name "${os}" "${target}")
     local tar="release/kontemplate-${VERSION}-${os}-${arch}.tar.gz"
 
-    echo "Signing kontemplate binary for ${os}-${arch} with SHA256 ${hash}"
-    gpg --sign "${bin}"
-
     echo "Packing release into ${tar}"
-    tar czvf "${tar}" -C "${target}" kontemplate kontemplate.gpg
+    tar czvf "${tar}" -C "${target}" $(basename "${bin}")
+
+    local hash=$(sha256sum "${tar}")
+    echo "Signing kontemplate release tarball for ${os}-${arch} with SHA256 ${hash}"
+    gpg --armor --detach-sig --sign "${tar}"
 }
 
 case "${1}" in
@@ -56,7 +56,7 @@ case "${1}" in
         exit 0
         ;;
     "sign")
-        # Sign releases:
+        # Bundle and sign releases:
         sign-for "linux" "amd64"
         sign-for "darwin" "amd64"
         sign-for "windows" "amd64"