Sign Sparkle appcasts in Python
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 16:56:18 -07:00
parent 1ef6fedeaf
commit 640d4693ac
5 changed files with 35 additions and 26 deletions

View file

@ -145,10 +145,10 @@ The same change also makes the forge itself the release authority: release tags
and future signing-service work. It uses `EC_SIGN_ED25519` with software
protection level because Google KMS rejects Ed25519 for HSM protection. Google
KMS also rejects normal macOS release archives as direct Ed25519 messages, so
the tester pipeline signs full-size Sparkle archives with Sparkle's
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret until
a compatible KMS-backed Sparkle signing service is introduced. macOS builds
embed public EdDSA key `uugZuJeqvvKd91NZ6F1Fv2cQenUbIG/ZW3L9MuaEz30=`.
the tester pipeline signs full-size Sparkle archives directly from the
decrypted `SPARKLE_EDDSA_KEY_PATH` release seed until a compatible KMS-backed
Sparkle signing service is introduced. macOS builds embed public EdDSA key
`uugZuJeqvvKd91NZ6F1Fv2cQenUbIG/ZW3L9MuaEz30=`.
- Use Namespace labels for platform lanes:
- `namespace-profile-linux-medium`
- `namespace-profile-macos-large`