burrow/store-metadata/sparkle/README.md
Conrad Kramer 002bd382e9
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Wire Forge-native release infrastructure
2026-06-07 05:51:12 -07:00

30 lines
962 B
Markdown

# Sparkle Release Channel
Burrow stages Sparkle files under `dist/builds/<build>/sparkle/<channel>/` and
publishes them through `.forgejo/workflows/publish-store-uploads.yml`.
The current implementation prepares the channel and public pointer layout:
- `sparkle/<channel>/appcast.xml`
- `sparkle/appcast.xml`
- `sparkle/default/`
- `sparkle/main-channel.txt`
Sparkle enclosure signatures can be produced with the non-exportable
`sparkle-ed25519` Google KMS key:
```sh
Scripts/sparkle/sign-appcast-kms.py \
--appcast dist/builds/<build>/sparkle/<channel>/appcast.xml \
--artifact-dir dist/builds/<build>/sparkle/<channel>
```
The public EdDSA key embedded in macOS release builds is:
```text
Myv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=
```
The build lane only signs appcasts when `BURROW_SPARKLE_SIGN_WITH_KMS=true`.
The live Google KMS key uses `EC_SIGN_ED25519` with software protection because
Google KMS rejects Ed25519 for HSM protection level.