Sign Sparkle appcasts in Python
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
This commit is contained in:
parent
1ef6fedeaf
commit
640d4693ac
5 changed files with 35 additions and 26 deletions
|
|
@ -33,8 +33,8 @@ a different distribution certificate.
|
|||
Sparkle appcast signing keeps the `sparkle-ed25519` Google KMS key available
|
||||
for payloads small enough for direct KMS Ed25519 signing, but normal macOS
|
||||
release archives are larger than Google KMS accepts for direct Ed25519
|
||||
messages. Those archives are signed with Sparkle's `sign_update` using the
|
||||
decrypted release `SPARKLE_EDDSA_KEY_PATH` so Sparkle receives the standard
|
||||
messages. Those archives are signed directly from the decrypted release
|
||||
`SPARKLE_EDDSA_KEY_PATH` seed so Sparkle receives the standard
|
||||
full-archive EdDSA signature it verifies at update time. macOS release builds
|
||||
embed public EdDSA key
|
||||
`uugZuJeqvvKd91NZ6F1Fv2cQenUbIG/ZW3L9MuaEz30=` and point Sparkle metadata at
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue