Use signore for gpg signing (hashicorp#330)

.github/workflows/release.yml

@@ -23,6 +23,12 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: '^1.15'
+      - name: Setup signore
+        uses: hashicorp/setup-signore@v1
+        with:
+          github-token: ${{secrets.SIGNORE_TOKEN}}
+          client-id: $${{secrets.SIGNORE_CLIENT_ID}}
+          client-secret: $${{secrets.SIGNORE_CLIENT_SECRET}}
       - name: Install hc-codesign
         id: codesign
         run: |
@@ -48,11 +54,6 @@ jobs:
         env: 
           VERSION: 1.6.4
           SHA256SUM: 3ad66eebd443d32dd6c811dcf2d264b78678c75ed1d40c15434180d4453e60d2
-      - name: Import PGP key for archive signing
-        run: echo -e $PGP_KEY | base64 -di | gpg --import --batch
-        env:
-          GPG_TTY: $(tty)
-          PGP_KEY: ${{ secrets.PGP_SIGNING_KEY }}
       - name: GitHub Release
         uses: goreleaser/goreleaser-action@v1
         with:
@@ -65,6 +66,7 @@ jobs:
           ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
           ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
           CIRCLE_TOKEN: ${{ secrets.CIRCLE_TOKEN }}
+          SIGNORE_SIGNER: ${{secrets.SIGNORE_SIGNER}}
       - name: Run clamAV antivirus scanner
         run: sudo clamscan /home/runner/work/$REPO/$REPO/dist/
         env:

.goreleaser.yml

@@ -43,7 +43,15 @@ checksum:
   algorithm: sha256
 
 signs:
-  - args: ["-u", "{{ .Env.PGP_KEY_ID }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+  - signature: ${artifact}.sig
+    cmd: sh
+    args:
+    - -c
+    - >-
+      signore
+      sign
+      --file ${artifact}
+      --out ${signature}
     artifacts: checksum
 
 changelog: