Skip to content

Add GPG signing to macOS binary zip builds#5290

Open
PlatCore wants to merge 1 commit intomasterfrom
PlatCore/5161-add-signing-macos-binaries
Open

Add GPG signing to macOS binary zip builds#5290
PlatCore wants to merge 1 commit intomasterfrom
PlatCore/5161-add-signing-macos-binaries

Conversation

@PlatCore
Copy link
Copy Markdown
Contributor

@PlatCore PlatCore commented Apr 16, 2026
edited
Loading

Why this should be merged

macOS binary zips are uploaded to S3 unsigned. This adds detached GPG signatures (.zip.sig), matching the linux tarball and RPM signing pipelines.

Closes #5161

Note: When RPM_GPG_PRIVATE_KEY is unset or empty, unsigned zips are silently published to S3. This matches linux tarball behavior.

How this works

  • New build-zip-pkg.sh: GPG setup, zip creation, signing, S3 upload. No-op when no key is provided.
  • build-macos-release.yml: GPG key import, script call, .sig in artifacts.

How this was tested

  • No GPG key: zips produced unsigned (backward compat)
  • With GPG key: .sig files produced, gpg --verify passes
  • Empty key file: signing skipped (fork scenario)

Need to be documented in RELEASES.md?

No

@PlatCore PlatCore self-assigned this Apr 16, 2026
@PlatCore PlatCore added ci This focuses on changes to the CI process devinfra labels Apr 16, 2026
@PlatCore PlatCore moved this to In Progress 🏗️ in avalanchego Apr 16, 2026
@PlatCore PlatCore force-pushed the PlatCore/5161-add-signing-macos-binaries branch from 0f7d199 to 05fafb7 Compare April 16, 2026 18:32
@PlatCore PlatCore marked this pull request as ready for review April 16, 2026 19:06
@PlatCore PlatCore requested a review from a team as a code owner April 16, 2026 19:06
@PlatCore PlatCore requested a review from maru-ava April 16, 2026 19:06
@PlatCore
Add GPG signing to macOS binary zip builds
a0f5e32 
Add detached GPG signatures (.sig) to the macOS packaging pipeline,
reusing the same key infrastructure as RPM and linux tarball signing.
Extract inline zip/upload steps into build-zip-pkg.sh script.
@PlatCore PlatCore force-pushed the PlatCore/5161-add-signing-macos-binaries branch from 05fafb7 to a0f5e32 Compare April 27, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maru-ava maru-ava Awaiting requested review from maru-ava

At least 2 approving reviews are required to merge this pull request.

Assignees

@PlatCore PlatCore

Labels

ci This focuses on changes to the CI process devinfra

Projects

avalanchego
Status: In Progress 🏗️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update the macos binary workflow to ensure notorization

1 participant

@PlatCore