Skip to content

Add GPG signing to macOS binary zip builds#5290

Open
PlatCore wants to merge 1 commit intomasterfrom
PlatCore/5161-add-signing-macos-binaries
Open

Add GPG signing to macOS binary zip builds#5290
PlatCore wants to merge 1 commit intomasterfrom
PlatCore/5161-add-signing-macos-binaries

Conversation

@PlatCore
Copy link
Copy Markdown
Contributor

@PlatCore PlatCore commented Apr 16, 2026
edited
Loading

Why this should be merged

macOS binary zips are uploaded to S3 unsigned. This adds detached GPG signatures (.zip.sig), matching the linux tarball and RPM signing pipelines.

Closes #5161

Note: When RPM_GPG_PRIVATE_KEY is unset or empty, unsigned zips are silently published to S3. This matches linux tarball behavior.

How this works

  • New build-zip-pkg.sh: GPG setup, zip creation, signing, S3 upload. No-op when no key is provided.
  • build-macos-release.yml: GPG key import, script call, .sig in artifacts.

How this was tested

  • No GPG key: zips produced unsigned (backward compat)
  • With GPG key: .sig files produced, gpg --verify passes
  • Empty key file: signing skipped (fork scenario)

Need to be documented in RELEASES.md?

No

@PlatCore PlatCore self-assigned this Apr 16, 2026
@PlatCore PlatCore added ci This focuses on changes to the CI process devinfra labels Apr 16, 2026
@PlatCore PlatCore moved this to In Progress 🏗️ in avalanchego Apr 16, 2026
@PlatCore PlatCore force-pushed the PlatCore/5161-add-signing-macos-binaries branch from 0f7d199 to 05fafb7 Compare April 16, 2026 18:32
@PlatCore PlatCore marked this pull request as ready for review April 16, 2026 19:06
@PlatCore PlatCore requested a review from a team as a code owner April 16, 2026 19:06
@PlatCore PlatCore requested a review from maru-ava April 16, 2026 19:06
@PlatCore
Add GPG signing to macOS binary zip builds
a0f5e32 
Add detached GPG signatures (.sig) to the macOS packaging pipeline,
reusing the same key infrastructure as RPM and linux tarball signing.
Extract inline zip/upload steps into build-zip-pkg.sh script.
@PlatCore PlatCore force-pushed the PlatCore/5161-add-signing-macos-binaries branch from 05fafb7 to a0f5e32 Compare April 27, 2026 18:52
maru-ava
maru-ava reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@maru-ava maru-ava left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand the motivation for this PR. Is there a requirement for gpg signing that I somehow missed? afaik we care about notarization for macos binaries which is something entirely different.

@PlatCore
Copy link
Copy Markdown
Contributor Author

PlatCore commented May 2, 2026

@maru-ava

Is there a requirement for gpg signing that I somehow missed?

Currently, our GH release includes the following macos artifacts signed with GPG:

curl -s \
  -H "Accept: application/vnd.github+json" \
  https://api.github.com/repos/ava-labs/avalanchego/releases/tags/v1.14.2 \
| jq -r '.assets[] | .name' | grep macos

avalanchego-macos-v1.14.2.zip
avalanchego-macos-v1.14.2.zip.sig
subnet-evm-macos-v1.14.2.zip
subnet-evm-macos-v1.14.2.zip.sig

I match this behavior (/ customers' expectation) in our CI.

The notarization is out of scope of this PR and will be implemented separately.

@maru-ava
Copy link
Copy Markdown
Contributor

maru-ava commented May 2, 2026

The notarization is out of scope of this PR and will be implemented separately.

Fair point that there are separate trust domains involved - notarization for ensuring our binaries can run without jumping through hoops, gpg-signing for demonstrating the provenance of the zip file we distribute the binary in.

However, I'm not sure I agree that notarization can be considered out-of-scope. The current manual release process is 'notarize -> zip -> GPG sign' because notarization modifies the binary and that has to happen before the zip is built and signed. What you're proposing is to sign a zip file containing an unnotarized binary. When are you planning to enable the notarization?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maru-ava maru-ava maru-ava left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

@PlatCore PlatCore

Labels

ci This focuses on changes to the CI process devinfra

Projects

avalanchego
Status: In Progress 🏗️

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update the macos binary workflow to ensure notorization

2 participants

@PlatCore @maru-ava