Use code-sign secrets from a GitHub environment#18295
Merged
zanieb merged 1 commit intozb/cargo-code-signfrom Mar 6, 2026
Merged
Use code-sign secrets from a GitHub environment#18295zanieb merged 1 commit intozb/cargo-code-signfrom
zanieb merged 1 commit intozb/cargo-code-signfrom
Conversation
zanieb
force-pushed
the
zb/cargo-code-sign-ii
branch
from
52d16f0 to
ed0f65e
Compare
Instead of generating test secrets in the workflow itself
zanieb
force-pushed
the
zb/cargo-code-sign-ii
branch
from
ed0f65e to
7612712
Compare
zanieb
commented
Mar 5, 2026
| # the same format. | ||
| # --------------------------------------------------------------------------- | ||
|
|
||
| openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes \ |
Member
Author
There was a problem hiding this comment.
Note to self, check https://github.com/astral-sh/uv/pull/18280/changes#r2885801739
woodruffw
approved these changes
Mar 5, 2026
Member
woodruffw
left a comment
woodruffw
left a comment
There was a problem hiding this comment.
LGTM! My only concern is/was about the structure of the certs themselves, but since this is for the test-only self-signing certs it's probably not a huge deal if they aren't 100% conformant with Apple's X.509 profile.
zanieb
added a commit
that referenced
this pull request
Mar 6, 2026
Instead of generating test secrets in the workflow itself as was done in #18280 for testing. This includes a script to generate self-signed certificates and adds them to the `release-test` environment. We'll populate the real secrets in the `release` environment. We may want a dedicated environment for code-signing secrets? We also may want to sign with the real secrets on `main` or similar.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Instead of generating test secrets in the workflow itself as was done in #18280 for testing.
This includes a script to generate self-signed certificates and adds them to the
release-testenvironment. We'll populate the real secrets in thereleaseenvironment. We may want a dedicated environment for code-signing secrets? We also may want to sign with the real secrets onmainor similar.