Woodpecker CI Plugins
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage


Build Status Docker Hub Quay.io Go Report Card GitHub contributors Source: GitHub License: Apache-2.0

Woodpecker CI plugin to sign artifacts with GnuPG.


  - name: gpgsign dist files
    image: quay.io/thegeeklab/wp-gpgsign
      key: LS0tLS1CRUdJTi...tLS0tCg==
      passphrase: randomstring
        - dist/*


armor optional bool
Create ASCII-armored output instead of a binary.
Default: false
clear_sign optional bool
Wrap the file in an ASCII-armored signature.
Default: false
detach_sign optional bool
Creates a detached signature for the file.
Default: false
excludes optional list
List of glob patterns to determine files to be excluded from signing.
Default: none
files optional list
List of glob patterns to determine files to be signed. If the list is empty, the plugin runs in setup-only mode. This is useful if the GPG key is required for other steps in the workflow.
Default: none
fingerprint optional string
Specific fingerprint to be used. Most like this option is required if a subkey of the given GPG key should be used. If not set, the fingerprint of the primary key is used.
Default: none
homedir optional string
GPG home directory.
Default: $HOME/.gnupg
key required string
Armored private GPG private key or the base64 encoded string of it.
Default: none
passphrase optional string
Passphrase for the GPG private key.
Default: none
trust_level optional string
Key owner trust level. Supported values: unknown|never|marginal|full|ultimate.
Default: unknown


Build the binary with the following command:

make build

Build the Container image with the following command:

docker build --file Containerfile.multiarch --tag thegeeklab/wp-gpgsign .


docker run --rm \
  -e PLUGIN_KEY=LS0tLS1CRUdJTi...tLS0tCg== \
  -e PLUGIN_PASSPHRASE=randomstring \
  -v $(pwd):/build:z \
  -w /build \