goreleaser signing using gon - bundle format unrecognized, invalid, or unsuitable

Question

I am trying to sign my golang using goreleaser - and eventually distribute using Homebrew. But this will require signing with Apple Developer ID to be able to distribute to MacOs.

Have you seen the following error using gon and fixed it?

yaml sample from here

# This is an example .goreleaser.yml file with some sane defaults.
# Make sure to check the documentation at http://goreleaser.com
before:
  hooks:
    # You may remove this if you don't use go modules.
    - go mod tidy
    # you may remove this if you don't need go generate
    - go generate ./...

builds:
- binary: foo
  id: foo
  goos:
  - linux
  goarch:
  - amd64
# notice that we need a separated build for the MacOS binary only:
- binary: foo
  id: appbrew-macos
  goos:
  - darwin
  goarch:
  - amd64
  hooks:
    post: gon gon.hcl

gon.hcl file

# The path follows a pattern
# ./dist/BUILD-ID_TARGET/BINARY-NAME

source = ["."]
bundle_id = "com.mydomain.mybrew"

apple_id {
    username = "<[email protected]>"
    password = "@keychain:developer_id_application"
}

sign {
  application_identity = "Developer ID Application: my name (452534542)"
}

I can verify that the password is retrieve using:

security find-generic-password -w -s 'developer_id_application' -a '<[email protected]>'

Error:

   • archives         
      • creating                  archive=dist/appbrew_0.1.19_Darwin_x86_64.tar.gz
      • creating                  archive=dist/appbrew_0.1.19_Darwin_arm64.tar.gz
      • creating                  archive=dist/appbrew_0.1.19_Linux_i386.tar.gz
      • creating                  archive=dist/appbrew_0.1.19_Linux_x86_64.tar.gz
      • creating                  archive=dist/appbrew_0.1.19_Linux_arm64.tar.gz
   • creating source archive
   • linux packages   
   • snapcraft packages
   • calculating checksums
      • checksumming              file=appbrew_0.1.19_Linux_arm64.tar.gz
      • checksumming              file=appbrew_0.1.19_Darwin_arm64.tar.gz
      • checksumming              file=appbrew_0.1.19_Linux_x86_64.tar.gz
      • checksumming              file=appbrew_0.1.19_Darwin_x86_64.tar.gz
      • checksumming              file=appbrew_0.1.19_Linux_i386.tar.gz
   • signing artifacts
      • signing                   cmd=[gon gon.hcl]
      • ==> ✏️  Signing files...
 cmd=gon
      • ❗️ Error signing files:

error signing:

.: bundle format unrecognized, invalid, or unsuitable

 cmd=gon
   ⨯ release failed after 3.49s error=sign: gon failed

Answer 1

Your config should probably be something like:

builds:
- binary: foo
  id: foo
  goos:
  - linux
  - windows
  goarch:
  - amd64
# separated build for macos only
- binary: foo
  id: foo-macos
  goos:
  - darwin
  goarch:
  - amd64
signs:
  - signature: "${artifact}.dmg"
    ids:
    - foo-macos
    cmd: gon
    args:
    - gon.hcl
    artifacts: all

notice that signing is done in the signs step, not in the builds like in your config.

More info in Gon's repository.