ci: update acceptance tests to debian:trixie, remove dpkg-sig from tests

acceptance_test.go

@@ -318,30 +318,25 @@ func TestRPMSign(t *testing.T) {
 func TestDebSign(t *testing.T) {
 	t.Parallel()
 	for _, arch := range formatArchs["deb"] {
-		for _, sigtype := range []string{"dpkg-sig", "debsign"} {
-			func(t *testing.T, testSigtype, testArch string) {
-				t.Run(fmt.Sprintf("deb/%s/%s", testArch, testSigtype), func(t *testing.T) {
-					t.Parallel()
-					target := "signed"
-					if testSigtype == "dpkg-sig" {
-						target = "dpkg-signed"
-					}
-					if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
-						t.Skip("ppc64le arch not supported in pipeline")
-					}
-					accept(t, acceptParms{
-						Name:   fmt.Sprintf("%s_sign_%s", testSigtype, testArch),
-						Conf:   fmt.Sprintf("deb.%s.sign.yaml", testSigtype),
-						Format: "deb",
-						Docker: dockerParams{
-							File:   "deb.dockerfile",
-							Target: target,
-							Arch:   testArch,
-						},
-					})
+		func(t *testing.T, testArch string) {
+			t.Run(fmt.Sprintf("deb/%s", testArch), func(t *testing.T) {
+				t.Parallel()
+				target := "signed"
+				if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
+					t.Skip("ppc64le arch not supported in pipeline")
+				}
+				accept(t, acceptParms{
+					Name:   "debsign_sign_" + testArch,
+					Conf:   "deb.debsign.sign.yaml",
+					Format: "deb",
+					Docker: dockerParams{
+						File:   "deb.dockerfile",
+						Target: target,
+						Arch:   testArch,
+					},
 				})
-			}(t, sigtype, arch)
-		}
+			})
+		}(t, arch)
 	}
 }
 

nfpm.go

@@ -442,8 +442,8 @@ type Deb struct {
 
 type DebSignature struct {
 	PackageSignature `yaml:",inline" json:",inline"`
-	// debsign, or dpkg-sig (defaults to debsign)
-	Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,enum=dpkg-sig,default=debsign"`
+	// Only debsign still supported
+	Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,default=debsign"`
 	// origin, maint or archive (defaults to origin)
 	Type   string `yaml:"type,omitempty" json:"type,omitempty" jsonschema:"title=signer role,enum=origin,enum=maint,enum=archive,default=origin"`
 	Signer string `yaml:"signer,omitempty" json:"signer,omitempty" jsonschema:"title=signer"`

testdata/acceptance/deb.dockerfile

@@ -1,4 +1,4 @@
-FROM debian:11 AS test_base
+FROM debian:trixie AS test_base
 ARG package
 RUN echo "${package}"
 COPY ${package} /tmp/foo.deb
@@ -85,14 +85,6 @@ RUN debsig-verify /tmp/foo.deb | grep "debsig: Verified package from 'Test packa
 RUN echo "" > /etc/dpkg/dpkg.cfg
 RUN dpkg -i /tmp/foo.deb
 
-# ---- signed dpkg-sig test ----
-FROM test_base AS dpkg-signed
-RUN apt update -y
-RUN apt install -y dpkg-sig
-# TODO: we should properly check the signature here, not sure how to do so.
-RUN dpkg-sig --verify /tmp/foo.deb | grep "UNKNOWNSIG _gpgbuilder 15BD80B3"
-RUN dpkg -i /tmp/foo.deb
-
 # ---- overrides test ----
 FROM min AS overrides
 RUN test -e /usr/bin/fake

testdata/acceptance/deb.dpkg-sig.sign.yaml

@@ -1,15 +0,0 @@
-name: "foo"
-arch: "${BUILD_ARCH}"
-platform: "linux"
-version: "v1.0.0"
-maintainer: "John Doe <john@example.com>"
-description: This package is signed
-vendor: "FooBarCorp"
-homepage: "http://example.com"
-contents:
-- src: ./testdata/fake
-  dst: /usr/bin/fake
-deb:
-  signature:
-    method: dpkg-sig
-    key_file: ./internal/sign/testdata/privkey_unprotected.asc

www/docs/configuration.md

@@ -413,6 +413,7 @@ deb:
   signature:
     # Signature method, either "dpkg-sig" or "debsign".
     # Defaults to "debsign"
+    # "dpkg-sig" is not supported in newer Debian versions.
     method: dpkg-sig
 
     # PGP secret key (can also be ASCII-armored). The passphrase is taken