Use Sparkle signer for full appcasts
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m1s
Build Site / Next.js Build (push) Failing after 5s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 16:13:53 -07:00
parent a84922f4f3
commit 1d45016a63
4 changed files with 63 additions and 17 deletions

View file

@ -81,10 +81,13 @@ Its public key matches KMS key version
## Sparkle Appcast Signing
Sparkle appcasts use `sparkle-ed25519`, a non-exportable Google KMS key with
algorithm `EC_SIGN_ED25519` and software protection level. Google KMS rejects
Ed25519 at HSM protection level, so this key is intentionally separate from the
HSM RSA keys used for Apple certificate CSRs and repository signing.
Sparkle appcasts keep `sparkle-ed25519`, a Google KMS key with algorithm
`EC_SIGN_ED25519` and software protection level, for small signing probes and
future signing-service work. Google KMS rejects Ed25519 at HSM protection level
and also rejects full-size macOS release archives as direct Ed25519 messages.
The tester pipeline therefore signs normal Sparkle archives with Sparkle's
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret so the
appcast contains the standard full-archive EdDSA signature Sparkle verifies.
The public EdDSA key embedded in macOS release builds is: