windsorcli · tvangundy · Feb 26, 2025 · Feb 24, 2025 · Feb 26, 2025 · Feb 26, 2025
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -27,10 +27,7 @@ builds:
 # Archive configuration
 archives:
   - id: default
-    format: tar.gz
-    files:
-      - LICENSE
-      - README.md
+    formats: ["zip", "tar.gz"]
 
 changelog:
   sort: asc
@@ -48,7 +45,14 @@ release:
   prerelease: false
 
 binary_signs:
-  - {}
+  - cmd: gpg
+    args: 
+      - --output
+      - "${signature}"
+      - --detach-sign
+      - "${artifact}"
+    signature: ${artifact}_{{ .Os }}_{{ .Arch }}.sig
+    artifacts: binary
 
 signs:
   - artifacts: checksum

diff --git a/docs/install.md b/docs/install.md
@@ -16,7 +16,7 @@ brew install windsor
 
 ## Manual Installation
 
-=== "MacOS"
+=== "MacOS (ARM64)"
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_darwin_arm64.tar.gz https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_darwin_arm64.tar.gz && \
     tar -xzf windsor_{{ config.extra.release_version }}_darwin_arm64.tar.gz -C /usr/local/bin && \
@@ -31,24 +31,83 @@ brew install windsor
     1. **Import the Public Key**
     ```bash
     gpg --keyserver keys.openpgp.org --recv-keys {{ config.extra.public_key_id }}
+    ```    
+
+    2. **Download the binary signature file**:
+    ```bash
+    curl -L -o windsor_darwin_arm64.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_darwin_arm64.sig
+    ```
+
+    3. **Verify the binary signature**:
+    ```bash
+    gpg --verify windsor_darwin_arm64.sig /usr/local/bin/windsor
     ```
 
-    2. **Download the signature file**:
+    4. **Download the checksum signature file**:
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt.sig
+
+    ```
+    5. **Download the checksum file**:
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt
+    ```
+
+    6. **Verify the checksums signature**:
+    ```bash
+    gpg --verify windsor_{{ config.extra.release_version }}_checksums.txt.sig windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    3. **Download the checksum file**:
+    7. **Verify the checksum**:
+    ```bash
+    shasum -a 256 -c windsor_{{ config.extra.release_version }}_checksums.txt
+    ```
+
+    </details>
+
+=== "MacOS (AMD64)"
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_darwin_amd64.tar.gz https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_darwin_amd64.tar.gz && \
+    tar -xzf windsor_{{ config.extra.release_version }}_darwin_amd64.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/windsor
+    ```
+
+    <details>
+    <summary><strong>Verify the signature and checksum of the Windsor binary</strong></summary>
+
+    To enhance security and confirm the integrity of your Windsor CLI installation, it is crucial to verify the downloaded binary. This involves checking the signature and checksum of the binary to ensure it has not been tampered with and is safe for use on your system. Follow the steps below to perform these verifications.
+
+    1. **Import the Public Key**
+    ```bash
+    gpg --keyserver keys.openpgp.org --recv-keys {{ config.extra.public_key_id }}
+    ```    
+
+    2. **Download the binary signature file**:
+    ```bash
+    curl -L -o windsor_darwin_amd64.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_darwin_amd64.sig
+    ```
+
+    3. **Verify the binary signature**:
+    ```bash
+    gpg --verify windsor_darwin_amd64.sig /usr/local/bin/windsor
+    ```
+
+    4. **Download the checksum signature file**:
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt.sig
+    ```
+
+    5. **Download the checksum file**:
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    4. **Verify the Signature**:
+    6. **Verify the checksums signature**:
     ```bash
     gpg --verify windsor_{{ config.extra.release_version }}_checksums.txt.sig windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    5. **Verify the Checksum**:
+    7. **Verify the checksum**:
     ```bash
     shasum -a 256 -c windsor_{{ config.extra.release_version }}_checksums.txt
     ```
@@ -74,28 +133,88 @@ brew install windsor
     gpg --keyserver keys.openpgp.org --recv-keys {{ config.extra.public_key_id }}
     ```
 
-    2. **Download the signature file**:
+    2. **Download the binary signature file**:
+    ```powershell
+    Invoke-WebRequest -Uri "https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor.exe_windows_amd64.sig" -OutFile "windsor.exe_windows_amd64.sig"
+    ```
+
+    3. **Verify the binary signature**:
+    ```powershell
+    gpg --verify windsor.exe_windows_amd64.sig "C:\Program Files\Windsor\windsor.exe"
+    ```
+
+    4. **Download the checksum signature file**:
     ```powershell
     Invoke-WebRequest -Uri "https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt.sig" -OutFile "windsor_{{ config.extra.release_version }}_checksums.txt.sig"
     ```
 
-    3. **Download the checksum file**:
+    5. **Download the checksum file**:
     ```powershell
     Invoke-WebRequest -Uri "https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt" -OutFile "windsor_{{ config.extra.release_version }}_checksums.txt"
     ```
 
-    4. **Verify the Signature**:
+    6. **Verify the checksums signature**:
     ```powershell
     gpg --verify windsor_{{ config.extra.release_version }}_checksums.txt.sig windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    5. **Verify the Checksum**:
+    7. **Verify the checksums**:
     ```powershell
     Get-FileHash -Algorithm SHA256 -Path "windsor_{{ config.extra.release_version }}_checksums.txt" | Format-List
     ```
     </details>
 
-=== "Linux"
+=== "Linux (ARM64)"
+
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_linux_arm64.tar.gz https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_linux_arm64.tar.gz && \
+    sudo tar -xzf windsor_{{ config.extra.release_version }}_linux_arm64.tar.gz -C /usr/local/bin && \
+    sudo chmod +x /usr/local/bin/windsor
+    ```
+
+    <details>
+    <summary><strong>Verify the signature and checksum of the Windsor binary</strong></summary>
+
+    To enhance security and confirm the integrity of your Windsor CLI installation, it is crucial to verify the downloaded binary. This involves checking the signature and checksum of the binary to ensure it has not been tampered with and is safe for use on your system. Follow the steps below to perform these verifications.
+
+    1. **Import the Public Key**
+    ```bash
+    gpg --keyserver keys.openpgp.org --recv-keys {{ config.extra.public_key_id }}
+    ```
+    2. **Download the binary signature file**:
+    ```bash
+    curl -L -o windsor_linux_arm64.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_linux_arm64.sig
+    ```
+
+    3. **Verify the binary signature**:
+    ```bash
+    gpg --verify windsor_linux_arm64.sig /usr/local/bin/windsor
+    ```
+
+    4. **Download the checksum signature file**:
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt.sig
+    ```
+
+    5. **Download the checksum file**:
+    ```bash
+    curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt
+    ```
+
+    6. **Verify the checksums signature**:
+    ```bash
+    gpg --verify windsor_{{ config.extra.release_version }}_checksums.txt.sig windsor_{{ config.extra.release_version }}_checksums.txt
+    ```
+
+    7. **Verify the checksums**:
+    ```bash
+    sha256sum -c windsor_{{ config.extra.release_version }}_checksums.txt 
+    ```
+
+    </details>
+
+=== "Linux (AMD64)"
+
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_linux_amd64.tar.gz https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_linux_amd64.tar.gz && \
     sudo tar -xzf windsor_{{ config.extra.release_version }}_linux_amd64.tar.gz -C /usr/local/bin && \
@@ -111,23 +230,32 @@ brew install windsor
     ```bash
     gpg --keyserver keys.openpgp.org --recv-keys {{ config.extra.public_key_id }}
     ```
+    2. **Download the binary signature file**:
+    ```bash
+    curl -L -o windsor_linux_amd64.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_linux_amd64.sig
+    ```
+
+    3. **Verify the binary signature**:
+    ```bash
+    gpg --verify windsor_linux_amd64.sig /usr/local/bin/windsor
+    ```
 
-    2. **Download the signature file**:
+    4. **Download the checksum signature file**:
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt.sig https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt.sig
     ```
 
-    3. **Download the checksum file**:
+    5. **Download the checksum file**:
     ```bash
     curl -L -o windsor_{{ config.extra.release_version }}_checksums.txt https://github.com/windsorcli/cli/releases/download/v{{ config.extra.release_version }}/windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    4. **Verify the Signature**:
+    6. **Verify the checksums signature**:
     ```bash
     gpg --verify windsor_{{ config.extra.release_version }}_checksums.txt.sig windsor_{{ config.extra.release_version }}_checksums.txt
     ```
 
-    5. **Verify the Checksum**:
+    7. **Verify the checksums**:
     ```bash
     sha256sum -c windsor_{{ config.extra.release_version }}_checksums.txt
     ```