Signing is done by stsigtool only

build.go

@@ -27,19 +27,16 @@ import (
 	"strconv"
 	"strings"
 	"time"
-
-	"github.com/syncthing/syncthing/lib/signature"
 )
 
 var (
-	versionRe  = regexp.MustCompile(`-[0-9]{1,3}-g[0-9a-f]{5,10}`)
-	goarch     string
-	goos       string
-	noupgrade  bool
-	version    string
-	goVersion  float64
-	race       bool
-	signingKey string
+	versionRe = regexp.MustCompile(`-[0-9]{1,3}-g[0-9a-f]{5,10}`)
+	goarch    string
+	goos      string
+	noupgrade bool
+	version   string
+	goVersion float64
+	race      bool
 )
 
 const minGoVersion = 1.3
@@ -64,7 +61,6 @@ func main() {
 	flag.BoolVar(&noupgrade, "no-upgrade", noupgrade, "Disable upgrade functionality")
 	flag.StringVar(&version, "version", getVersion(), "Set compiled in version string")
 	flag.BoolVar(&race, "race", race, "Use race detector")
-	flag.StringVar(&signingKey, "sign", signingKey, "Private key file for signing binaries")
 	flag.Parse()
 
 	switch goarch {
@@ -229,15 +225,6 @@ func build(pkg string, tags []string) {
 	args = append(args, pkg)
 	setBuildEnv()
 	runPrint("go", args...)
-
-	if signingKey != "" {
-		// Create an signature of the binary, to be included in the archive for
-		// automatic upgrades.
-		err := signFile(signingKey, binary)
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
 }
 
 func buildTar() {
@@ -723,34 +710,6 @@ func zipFile(out string, files []archiveFile) {
 	}
 }
 
-func signFile(keyname, file string) error {
-	privkey, err := ioutil.ReadFile(keyname)
-	if err != nil {
-		return err
-	}
-
-	fd, err := os.Open(file)
-	if err != nil {
-		return err
-	}
-	defer fd.Close()
-
-	sig, err := signature.Sign(privkey, fd)
-	if err != nil {
-		return err
-	}
-
-	out, err := os.Create(file + ".sig")
-	if err != nil {
-		return err
-	}
-	_, err = out.Write(sig)
-	if err != nil {
-		return err
-	}
-	return out.Close()
-}
-
 func vet(pkg string) {
 	bs, err := runError("go", "vet", pkg)
 	if err != nil && err.Error() == "exit status 3" || bytes.Contains(bs, []byte("no such tool \"vet\"")) {

build.sh

@@ -74,33 +74,27 @@ case "${1:-default}" in
 		;;
 
 	all)
-		if [ -f /etc/syncthing/syncthing.priv ] ; then
-			# Default signing key location. If present, use it to sign the
-			# release.
-			extra=(-sign /etc/syncthing/syncthing.priv)
-		fi
-
-		build -goos darwin -goarch amd64 ${extra[@]-} tar
+		build -goos darwin -goarch amd64 tar
 
-		build -goos dragonfly -goarch amd64 ${extra[@]-} tar
+		build -goos dragonfly -goarch amd64 tar
 
-		build -goos freebsd -goarch 386 ${extra[@]-} tar
-		build -goos freebsd -goarch amd64 ${extra[@]-} tar
+		build -goos freebsd -goarch 386 tar
+		build -goos freebsd -goarch amd64 tar
 
-		build -goos linux -goarch 386 ${extra[@]-} tar
-		build -goos linux -goarch amd64 ${extra[@]-} tar
-		build -goos linux -goarch arm ${extra[@]-} tar
+		build -goos linux -goarch 386 tar
+		build -goos linux -goarch amd64 tar
+		build -goos linux -goarch arm tar
 
-		build -goos netbsd -goarch 386 ${extra[@]-} tar
-		build -goos netbsd -goarch amd64 ${extra[@]-} tar
+		build -goos netbsd -goarch 386 tar
+		build -goos netbsd -goarch amd64 tar
 
-		build -goos openbsd -goarch 386 ${extra[@]-} tar
-		build -goos openbsd -goarch amd64 ${extra[@]-} tar
+		build -goos openbsd -goarch 386 tar
+		build -goos openbsd -goarch amd64 tar
 
-		build -goos solaris -goarch amd64 ${extra[@]-} tar
+		build -goos solaris -goarch amd64 tar
 
-		build -goos windows -goarch 386 ${extra[@]-} zip
-		build -goos windows -goarch amd64 ${extra[@]-} zip
+		build -goos windows -goarch 386 zip
+		build -goos windows -goarch amd64 zip
 		;;
 
 	test-cov)
@@ -134,17 +128,10 @@ case "${1:-default}" in
 
 	docker-all)
 		img=${DOCKERIMG:-syncthing/build:latest}
-		if [ -f /etc/syncthing/syncthing.priv ] ; then
-			# Default signing key location. If present, pass into Docker so we
-			# can sign the release from in there.
-			extra=(-v /etc/syncthing/syncthing.priv:/etc/syncthing/syncthing.priv)
-		fi
-
 		docker run --rm -h syncthing-builder -u $(id -u) -t \
 			-v $(pwd):/go/src/github.com/syncthing/syncthing \
 			-w /go/src/github.com/syncthing/syncthing \
 			-e "STTRACE=$STTRACE" \
-			${extra[@]-} \
 			"$img" \
 			sh -c './build.sh clean \
 				&& ./build.sh test-cov \