Use Sparkle signer for full appcasts
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m1s
Build Site / Next.js Build (push) Failing after 5s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 16:13:53 -07:00
parent a84922f4f3
commit 1d45016a63
4 changed files with 63 additions and 17 deletions

View file

@ -141,10 +141,14 @@ The same change also makes the forge itself the release authority: release tags
sign the app/extension bundles with the patched `rcodesign` PKCS#11 path.
- The signed iOS IPA is uploaded to App Store Connect, and the signed macOS
ZIP is used as the Sparkle tester artifact.
- Add a non-exportable Google KMS key named `sparkle-ed25519` for Sparkle
appcast signatures. It uses `EC_SIGN_ED25519` with software protection level
because Google KMS rejects Ed25519 for HSM protection. macOS builds embed
public EdDSA key `Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=`.
- Add a Google KMS key named `sparkle-ed25519` for small Sparkle signing probes
and future signing-service work. It uses `EC_SIGN_ED25519` with software
protection level because Google KMS rejects Ed25519 for HSM protection. Google
KMS also rejects normal macOS release archives as direct Ed25519 messages, so
the tester pipeline signs full-size Sparkle archives with Sparkle's
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret until
a compatible KMS-backed Sparkle signing service is introduced. macOS builds
embed public EdDSA key `Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=`.
- Use Namespace labels for platform lanes:
- `namespace-profile-linux-medium`
- `namespace-profile-macos-large`