Sign Sparkle appcasts in Python
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 16:56:18 -07:00
parent 1ef6fedeaf
commit 640d4693ac
5 changed files with 35 additions and 26 deletions

View file

@ -85,9 +85,9 @@ Sparkle appcasts keep `sparkle-ed25519`, a Google KMS key with algorithm
`EC_SIGN_ED25519` and software protection level, for small signing probes and
future signing-service work. Google KMS rejects Ed25519 at HSM protection level
and also rejects full-size macOS release archives as direct Ed25519 messages.
The tester pipeline therefore signs normal Sparkle archives with Sparkle's
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret so the
appcast contains the standard full-archive EdDSA signature Sparkle verifies.
The tester pipeline therefore signs normal Sparkle archives directly from the
decrypted `SPARKLE_EDDSA_KEY_PATH` release seed so the appcast contains the
standard full-archive EdDSA signature Sparkle verifies.
The public EdDSA key embedded in macOS release builds is: