Sign Sparkle appcasts in Python
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Successful in 3m4s
Build Rust / Cargo Test (push) Successful in 4m5s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 4s
Lint Governance / BEP Metadata (push) Successful in 1s
This commit is contained in:
parent
1ef6fedeaf
commit
640d4693ac
5 changed files with 35 additions and 26 deletions
|
|
@ -85,9 +85,9 @@ Sparkle appcasts keep `sparkle-ed25519`, a Google KMS key with algorithm
|
|||
`EC_SIGN_ED25519` and software protection level, for small signing probes and
|
||||
future signing-service work. Google KMS rejects Ed25519 at HSM protection level
|
||||
and also rejects full-size macOS release archives as direct Ed25519 messages.
|
||||
The tester pipeline therefore signs normal Sparkle archives with Sparkle's
|
||||
`sign_update` and the decrypted `SPARKLE_EDDSA_KEY_PATH` release secret so the
|
||||
appcast contains the standard full-archive EdDSA signature Sparkle verifies.
|
||||
The tester pipeline therefore signs normal Sparkle archives directly from the
|
||||
decrypted `SPARKLE_EDDSA_KEY_PATH` release seed so the appcast contains the
|
||||
standard full-archive EdDSA signature Sparkle verifies.
|
||||
|
||||
The public EdDSA key embedded in macOS release builds is:
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue