Use Sparkle signer for full appcasts
This commit is contained in:
parent
a84922f4f3
commit
1d45016a63
4 changed files with 63 additions and 17 deletions
|
|
@ -141,10 +141,14 @@ The same change also makes the forge itself the release authority: release tags
|
|||
sign the app/extension bundles with the patched `rcodesign` PKCS#11 path.
|
||||
- The signed iOS IPA is uploaded to App Store Connect, and the signed macOS
|
||||
ZIP is used as the Sparkle tester artifact.
|
||||
- Add a non-exportable Google KMS key named `sparkle-ed25519` for Sparkle
|
||||
appcast signatures. It uses `EC_SIGN_ED25519` with software protection level
|
||||
because Google KMS rejects Ed25519 for HSM protection. macOS builds embed
|
||||
public EdDSA key `Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=`.
|
||||
- Add a Google KMS key named `sparkle-ed25519` for small Sparkle signing probes
|
||||
and future signing-service work. It uses `EC_SIGN_ED25519` with software
|
||||
protection level because Google KMS rejects Ed25519 for HSM protection. Google
|
||||
KMS also rejects normal macOS release archives as direct Ed25519 messages, so
|
||||
the tester pipeline signs full-size Sparkle archives with Sparkle's
|
||||
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret until
|
||||
a compatible KMS-backed Sparkle signing service is introduced. macOS builds
|
||||
embed public EdDSA key `Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=`.
|
||||
- Use Namespace labels for platform lanes:
|
||||
- `namespace-profile-linux-medium`
|
||||
- `namespace-profile-macos-large`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue