Sign Sparkle appcasts in Python
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
This commit is contained in:
parent
1ef6fedeaf
commit
640d4693ac
5 changed files with 35 additions and 26 deletions
|
|
@ -145,10 +145,10 @@ The same change also makes the forge itself the release authority: release tags
|
|||
and future signing-service work. It uses `EC_SIGN_ED25519` with software
|
||||
protection level because Google KMS rejects Ed25519 for HSM protection. Google
|
||||
KMS also rejects normal macOS release archives as direct Ed25519 messages, so
|
||||
the tester pipeline signs full-size Sparkle archives with Sparkle's
|
||||
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret until
|
||||
a compatible KMS-backed Sparkle signing service is introduced. macOS builds
|
||||
embed public EdDSA key `uugZuJeqvvKd91NZ6F1Fv2cQenUbIG/ZW3L9MuaEz30=`.
|
||||
the tester pipeline signs full-size Sparkle archives directly from the
|
||||
decrypted `SPARKLE_EDDSA_KEY_PATH` release seed until a compatible KMS-backed
|
||||
Sparkle signing service is introduced. macOS builds embed public EdDSA key
|
||||
`uugZuJeqvvKd91NZ6F1Fv2cQenUbIG/ZW3L9MuaEz30=`.
|
||||
- Use Namespace labels for platform lanes:
|
||||
- `namespace-profile-linux-medium`
|
||||
- `namespace-profile-macos-large`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue