From 00691ded7c433145ebf50addb02b3187090dce2a Mon Sep 17 00:00:00 2001 From: George Adams Date: Thu, 4 Jun 2026 15:30:19 +0100 Subject: [PATCH 1/3] Ship .asc signature alongside .sig Recognize both .sig and .asc signature files when scanning build output directories. The .sig extension remains the default for aka.ms links and release URLs; .asc is accepted alongside for compatibility with upstream Go tooling. See https://github.com/microsoft/go/issues/181 --- buildmodel/buildassets/buildassets.go | 38 +++++++++++++++++++-------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/buildmodel/buildassets/buildassets.go b/buildmodel/buildassets/buildassets.go index ecb10238..38d1a6db 100644 --- a/buildmodel/buildassets/buildassets.go +++ b/buildmodel/buildassets/buildassets.go @@ -117,9 +117,9 @@ func (b BuildAssets) GoVersion() *goversion.GoVersion { // archiving infra is stored in each release branch to make it local to the code it operates on and // less likely to unintentionally break, so some of that information is duplicated here. var ( - archiveSuffixes = []string{".tar.gz", ".zip"} - checksumSuffix = ".sha256" - signatureSuffix = ".sig" + archiveSuffixes = []string{".tar.gz", ".zip"} + checksumSuffix = ".sha256" + signatureSuffixes = []string{".sig", ".asc"} ) // BuildResultsDirectoryInfo points to locations in the filesystem that contain a Go build from @@ -246,10 +246,24 @@ func (b BuildResultsDirectoryInfo) CreateSummary() (*BuildAssets, error) { continue } - // Is it a signature file? - if associatedName, ok := stringutil.CutSuffix(e.Name(), signatureSuffix); ok { - a := getOrCreateArch(associatedName) + // Is it a signature file? Check .sig and .asc. + // Prefer .sig when both exist (signatureSuffixes is ordered by preference). + var sigAssociatedName string + var isSig bool + for _, suffix := range signatureSuffixes { + if name, ok := stringutil.CutSuffix(e.Name(), suffix); ok { + sigAssociatedName = name + isSig = true + break + } + } + if isSig { + a := getOrCreateArch(sigAssociatedName) + // Skip if we already have a signature URL (e.g. .sig was already found). + if a.PGPSignatureURL != "" { + continue + } a.PGPSignatureURL, err = getURL(e.Name()) if err != nil { return nil, fmt.Errorf("unable to get URL for signature file %q: %w", e.Name(), err) @@ -334,11 +348,13 @@ func (b BuildResultsDirectoryInfo) CreateSummary() (*BuildAssets, error) { // assets.json file should be used for the canonical version information. func CutToolsetFileParts(filename string) (prefix, platform, ext string, ok bool) { for _, archiveExt := range archiveSuffixes { - for _, ext := range []string{ - archiveExt, - archiveExt + checksumSuffix, - archiveExt + signatureSuffix, - } { + var suffixes []string + suffixes = append(suffixes, archiveExt) + suffixes = append(suffixes, archiveExt+checksumSuffix) + for _, sigSuffix := range signatureSuffixes { + suffixes = append(suffixes, archiveExt+sigSuffix) + } + for _, ext := range suffixes { preExt, ok := stringutil.CutSuffix(filename, ext) if !ok { continue From d7fd7aeab9b7ef83fe23978d595116699142bb2c Mon Sep 17 00:00:00 2001 From: George Adams Date: Mon, 15 Jun 2026 16:35:24 -0700 Subject: [PATCH 2/3] Ship both .sig and .asc signatures in parallel Add ASCSignatureURL to the Arch model and update CreateSummary to record .sig and .asc independently so both appear in the build assets JSON and both are shipped as aka.ms shortlinks. --- buildmodel/buildassets/buildassets.go | 36 +++++++++--------- .../buildassets/testdata/1.17-build/bin.txtar | 3 ++ .../1.23dev-missing-publish/bin.txtar | 1 + .../msGo.output.manifest.json | Bin 2492 -> 2628 bytes .../testdata/1.23dev-publish/bin.txtar | 4 ++ .../1.23dev-publish/msGo.output.manifest.json | Bin 11636 -> 12092 bytes .../1.17-build/result.golden.txt | 9 +++-- .../1.23dev-publish/result.golden.txt | 12 ++++-- buildmodel/dockerversions/dockerversions.go | 9 ++++- cmd/releasego/akams_test.go | 2 + cmd/releasego/main.go | 8 ++++ .../Test_createLinkPairs/blob/aka.golden.txt | 6 +++ .../release_studio/aka.golden.txt | 6 +++ 13 files changed, 68 insertions(+), 28 deletions(-) diff --git a/buildmodel/buildassets/buildassets.go b/buildmodel/buildassets/buildassets.go index 38d1a6db..aca3be98 100644 --- a/buildmodel/buildassets/buildassets.go +++ b/buildmodel/buildassets/buildassets.go @@ -117,9 +117,12 @@ func (b BuildAssets) GoVersion() *goversion.GoVersion { // archiving infra is stored in each release branch to make it local to the code it operates on and // less likely to unintentionally break, so some of that information is duplicated here. var ( - archiveSuffixes = []string{".tar.gz", ".zip"} - checksumSuffix = ".sha256" - signatureSuffixes = []string{".sig", ".asc"} + archiveSuffixes = []string{".tar.gz", ".zip"} + checksumSuffix = ".sha256" + // signatureSuffixes are the extensions used to store signatures, in alphabetical order. Both + // formats are produced and shipped: ".asc" is an ASCII-armored PGP signature and ".sig" is its + // binary equivalent. + signatureSuffixes = []string{".asc", ".sig"} ) // BuildResultsDirectoryInfo points to locations in the filesystem that contain a Go build from @@ -246,25 +249,20 @@ func (b BuildResultsDirectoryInfo) CreateSummary() (*BuildAssets, error) { continue } - // Is it a signature file? Check .sig and .asc. - // Prefer .sig when both exist (signatureSuffixes is ordered by preference). - var sigAssociatedName string - var isSig bool - for _, suffix := range signatureSuffixes { - if name, ok := stringutil.CutSuffix(e.Name(), suffix); ok { - sigAssociatedName = name - isSig = true - break + // Is it a .sig (binary PGP) signature file? + if sigName, ok := stringutil.CutSuffix(e.Name(), ".sig"); ok { + a := getOrCreateArch(sigName) + a.PGPSignatureURL, err = getURL(e.Name()) + if err != nil { + return nil, fmt.Errorf("unable to get URL for signature file %q: %w", e.Name(), err) } + continue } - if isSig { - a := getOrCreateArch(sigAssociatedName) - // Skip if we already have a signature URL (e.g. .sig was already found). - if a.PGPSignatureURL != "" { - continue - } - a.PGPSignatureURL, err = getURL(e.Name()) + // Is it a .asc (ASCII-armored PGP) signature file? + if ascName, ok := stringutil.CutSuffix(e.Name(), ".asc"); ok { + a := getOrCreateArch(ascName) + a.ASCSignatureURL, err = getURL(e.Name()) if err != nil { return nil, fmt.Errorf("unable to get URL for signature file %q: %w", e.Name(), err) } diff --git a/buildmodel/buildassets/testdata/1.17-build/bin.txtar b/buildmodel/buildassets/testdata/1.17-build/bin.txtar index 00782b82..270b3464 100644 --- a/buildmodel/buildassets/testdata/1.17-build/bin.txtar +++ b/buildmodel/buildassets/testdata/1.17-build/bin.txtar @@ -6,11 +6,14 @@ files have been truncated to have no content. -- go.linux-amd64.tar.gz.sha256 -- 0000000000000000000000000000000000000000000000000000000000000000 go.linux-amd64.tar.gz -- go.linux-amd64.tar.gz.sig -- +-- go.linux-amd64.tar.gz.asc -- -- go.linux-arm64.tar.gz -- -- go.linux-arm64.tar.gz.sha256 -- 0000000000000000000000000000000000000000000000000000000000000000 go.linux-arm64.tar.gz -- go.linux-arm64.tar.gz.sig -- +-- go.linux-arm64.tar.gz.asc -- -- go.linux-armv6l.tar.gz -- -- go.linux-armv6l.tar.gz.sha256 -- 0000000000000000000000000000000000000000000000000000000000000000 go.linux-armv6l.tar.gz -- go.linux-armv6l.tar.gz.sig -- +-- go.linux-armv6l.tar.gz.asc -- diff --git a/buildmodel/buildassets/testdata/1.23dev-missing-publish/bin.txtar b/buildmodel/buildassets/testdata/1.23dev-missing-publish/bin.txtar index f327ca72..ae9ea9ec 100644 --- a/buildmodel/buildassets/testdata/1.23dev-missing-publish/bin.txtar +++ b/buildmodel/buildassets/testdata/1.23dev-missing-publish/bin.txtar @@ -7,6 +7,7 @@ manifest doesn't have a matching entry. The summary creation process should dete -- go1.23-0def9d5c-20240709.2.src.tar.gz.sha256 -- e18be7a50671fa8fce652bf58cb5e0960b2ebcd064d526c7616274ad3799a1cf go1.23-0def9d5c-20240709.2.src.tar.gz -- go1.23-0def9d5c-20240709.2.src.tar.gz.sig -- +-- go1.23-0def9d5c-20240709.2.src.tar.gz.asc -- -- go1.23-0def9d5c-20240709.2.windows-amd64.zip -- -- go1.23-0def9d5c-20240709.2.windows-amd64.zip.sha256 -- cd6a8dc304f80147155fb3aded2e714238a4a7f939fb57e47f4b75281e662555 go1.23-0def9d5c-20240709.2.windows-amd64.zip diff --git a/buildmodel/buildassets/testdata/1.23dev-missing-publish/msGo.output.manifest.json b/buildmodel/buildassets/testdata/1.23dev-missing-publish/msGo.output.manifest.json index 173d6d26a9f16184bd5775a9aefad9dc881ffe75..ae1dc3a7bb401190f3e557a78ec32630b739da0a 100644 GIT binary patch delta 238 zcmdlZd_;u#|G(;qtg4LB6BC6Qt0yK(Pn;n!aZ|*^B&o?6EFzO57~4Qh8&_;DsO n6f-0ivPYQp|G#Pm-igertO^X#47`&MGD%NP;NSvbW}pNze`0{bub+Gp4ixC(qxnaP<6me zfRPub2*hDG##a!BQZuLO3JxTR4{%8^OKZxSfmh+#L%RvX1ANbsZ}87EZB Oz{Q{dg|R?(Edu~{DpB_U literal 11636 zcmeI2OK&1a6oqRYDgPm29Y3I(*X)3XWfUpODw>7IuZd*FBioaS9L--(@_ltp0x_}2 zKrigJTJ)o;sHUs$;hcM_{`&Ke^lkbkeRsFD(vRs=dY3NJujx9yPp9c5wbGkh`^!qp z#Wx;0uJ-*<%m3E3(u`kl!To=FFZ|WX~?mgjw$I- z)=4G%KA&N3xzE#FQM;dR=}cEUUOoIcRzl4n0*B!9~h^NFhqTHO#u zCzM=LGv|0rf0vYB@}_PmJLYV@rk?}uaYcEXXDoQez5G;rd3^T%DfLMYc# zF|mw`#oK=9_+^7AdJYI#j_%##q|H0*@@9?Q0nuF%&tjrYtdDZE7nD`B5=Ek^V(88ITMLz$>~`8XNy>_?2su2Hfa7q3{k-7=Ea zv&fVP9o!*e#Ctp>!WY;W5X}>!yGOZ>_W-e6o#^E>0#HB_c>H1X6;bdR+A> zA5kL{4cTNH(em=qampAKjL0t0(R#9)c<$VxUi<*({|;lTujc519!lW8-dg_G*gc!5 z`KtVpMbv>kqIr@rAZLh=KHDVYLu9F&0$C-kW^5ur7Lp$d+D$VOWENSqgXd! zZ+m-t`FJVNb!Uvxrg+&bQkupuUpGqIMcaDDY3F}_vkzH7G>zbfK6@Ev5$9$eq0Qup$4qV=b;#RWu5h-Q?G{ezcEyoxxTqf0YYSlE(p*SGrJEh zCJX7D>Gy?x(>IV`Y$Ipsl*vQ7Y!yh-ZO~t{l@5cg+~lzM)^@D=9GtTw#^H=7-yH)z z9w)C@x<5wSMcR7(Rua{^#QMlGP2?qVhdk7wRA(TVMXe^XRCB>qDm0ax>TgURVy8=+ zk}DBs#v?XM%2a-$Q}(i6hoNc&3!UOU*NdK}tG78>=6$@>IbWl{tbe9I7PBtSBdOea z#JO5cpIIh}_*akVE{hn^;!KY@jM&QL|Zc@8A(sUIZ!dC4vhKrsJE?N_jb?p95SEd{N%14 z*lZQasxQ0#U$%ML?Q@>}i8UeDc?Rg;k-4SrBQD(a$|{-N&-|#SIz)Q-Z|40|u63Dp z-t?}=oQWv26(iovC{_g&;G>gyNNlL&f~ms6)|ng8LcUT1+A`3jlP&)2>*ZtT5YNEb zv`w+|^eAZ>?>s(2+eO)W$H2V3M})iXEI3CGL4_4LjgD*NECsD1JJJVm9fC}v(+~%^uW#Wfc9Mm=6V}2jb zmvJqJxV}Iyz#1_m2gQm5IV0RO|3PON2WqwOs`aO!ue*>POJ!=2} diff --git a/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.17-build/result.golden.txt b/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.17-build/result.golden.txt index 25a6afd0..5ea9eb22 100644 --- a/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.17-build/result.golden.txt +++ b/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.17-build/result.golden.txt @@ -11,7 +11,8 @@ "sha256": "0000000000000000000000000000000000000000000000000000000000000000", "url": "https://example.org/go.linux-amd64.tar.gz", "sha256ChecksumUrl": "https://example.org/go.linux-amd64.tar.gz.sha256", - "pgpSignatureUrl": "https://example.org/go.linux-amd64.tar.gz.sig" + "pgpSignatureUrl": "https://example.org/go.linux-amd64.tar.gz.sig", + "ascSignatureUrl": "https://example.org/go.linux-amd64.tar.gz.asc" }, { "env": { @@ -21,7 +22,8 @@ "sha256": "0000000000000000000000000000000000000000000000000000000000000000", "url": "https://example.org/go.linux-arm64.tar.gz", "sha256ChecksumUrl": "https://example.org/go.linux-arm64.tar.gz.sha256", - "pgpSignatureUrl": "https://example.org/go.linux-arm64.tar.gz.sig" + "pgpSignatureUrl": "https://example.org/go.linux-arm64.tar.gz.sig", + "ascSignatureUrl": "https://example.org/go.linux-arm64.tar.gz.asc" }, { "env": { @@ -32,7 +34,8 @@ "sha256": "0000000000000000000000000000000000000000000000000000000000000000", "url": "https://example.org/go.linux-armv6l.tar.gz", "sha256ChecksumUrl": "https://example.org/go.linux-armv6l.tar.gz.sha256", - "pgpSignatureUrl": "https://example.org/go.linux-armv6l.tar.gz.sig" + "pgpSignatureUrl": "https://example.org/go.linux-armv6l.tar.gz.sig", + "ascSignatureUrl": "https://example.org/go.linux-armv6l.tar.gz.asc" } ], "goSrcURL": "", diff --git a/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.23dev-publish/result.golden.txt b/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.23dev-publish/result.golden.txt index 98b1138d..1020b3ef 100644 --- a/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.23dev-publish/result.golden.txt +++ b/buildmodel/buildassets/testdata/TestBuildResultsDirectoryInfo_GoldenCreateSummary/1.23dev-publish/result.golden.txt @@ -12,7 +12,8 @@ "sha256": "11cb59a7da47abfdb8b88be7339d97ce1e9e0ca3ebd8e0fbdc1cfde73d547279", "url": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/4f51/go1.23-0def9d5c-20240709.2.linux-armv6l.tar.gz", "sha256ChecksumUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/3df7/go1.23-0def9d5c-20240709.2.linux-armv6l.tar.gz.sha256", - "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c211/go1.23-0def9d5c-20240709.2.linux-armv6l.tar.gz.sig" + "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c211/go1.23-0def9d5c-20240709.2.linux-armv6l.tar.gz.sig", + "ascSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c211/go1.23-0def9d5c-20240709.2.linux-armv6l.tar.gz.asc" }, { "env": { @@ -31,7 +32,8 @@ "sha256": "4d43335c30e564053b32a0f4489eeaf399d49fe5a201961a573e42234201e5d3", "url": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c226/go1.23-0def9d5c-20240709.2.linux-amd64.tar.gz", "sha256ChecksumUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/3507/go1.23-0def9d5c-20240709.2.linux-amd64.tar.gz.sha256", - "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/20eb/go1.23-0def9d5c-20240709.2.linux-amd64.tar.gz.sig" + "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/20eb/go1.23-0def9d5c-20240709.2.linux-amd64.tar.gz.sig", + "ascSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/20eb/go1.23-0def9d5c-20240709.2.linux-amd64.tar.gz.asc" }, { "env": { @@ -41,13 +43,15 @@ "sha256": "4ff938e9b8bafe42809d441ec288679fb9759b34a5c4b162e0e4c335ecb4bcdd", "url": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/cee0/go1.23-0def9d5c-20240709.2.linux-arm64.tar.gz", "sha256ChecksumUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/a6f0/go1.23-0def9d5c-20240709.2.linux-arm64.tar.gz.sha256", - "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c815f/go1.23-0def9d5c-20240709.2.linux-arm64.tar.gz.sig" + "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c815f/go1.23-0def9d5c-20240709.2.linux-arm64.tar.gz.sig", + "ascSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/c815f/go1.23-0def9d5c-20240709.2.linux-arm64.tar.gz.asc" }, { "sha256": "e18be7a50671fa8fce652bf58cb5e0960b2ebcd064d526c7616274ad3799a1cf", "url": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/e035/go1.23-0def9d5c-20240709.2.src.tar.gz", "sha256ChecksumUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/85a9/go1.23-0def9d5c-20240709.2.src.tar.gz.sha256", - "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/eb070/go1.23-0def9d5c-20240709.2.src.tar.gz.sig" + "pgpSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/eb070/go1.23-0def9d5c-20240709.2.src.tar.gz.sig", + "ascSignatureUrl": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/eb070/go1.23-0def9d5c-20240709.2.src.tar.gz.asc" } ], "goSrcURL": "https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/e035/go1.23-0def9d5c-20240709.2.src.tar.gz", diff --git a/buildmodel/dockerversions/dockerversions.go b/buildmodel/dockerversions/dockerversions.go index 591f7126..3d21c781 100644 --- a/buildmodel/dockerversions/dockerversions.go +++ b/buildmodel/dockerversions/dockerversions.go @@ -85,11 +85,16 @@ type Arch struct { // If not specified, the file can be reached by appending ".sha256" to the URL. SHA256ChecksumURL string `json:"sha256ChecksumUrl,omitempty"` - // PGPSignatureURL is the URL of a PGP signature file for this artifact, commonly verified using - // the "gpg" tool. + // PGPSignatureURL is the URL of a binary PGP signature file (.sig) for this artifact, commonly + // verified using the "gpg" tool. // // If not specified, the file can be reached by appending ".sig" to the URL. PGPSignatureURL string `json:"pgpSignatureUrl,omitempty"` + + // ASCSignatureURL is the URL of an ASCII-armored PGP signature file (.asc) for this artifact. + // + // If not specified, the file can be reached by appending ".asc" to the URL. + ASCSignatureURL string `json:"ascSignatureUrl,omitempty"` } // ArchEnv is the environment an artifact is expected to be useful in. diff --git a/cmd/releasego/akams_test.go b/cmd/releasego/akams_test.go index 02eb3924..819d467e 100644 --- a/cmd/releasego/akams_test.go +++ b/cmd/releasego/akams_test.go @@ -43,11 +43,13 @@ func Test_createLinkPairs(t *testing.T) { URL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/333aa/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz", SHA256ChecksumURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/87654/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sha256", PGPSignatureURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12345/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sig", + ASCSignatureURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12346/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.asc", }, { URL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/3b32d/go1.23-90bcc55-20240626.1.src.tar.gz", SHA256ChecksumURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/66dda/go1.23-90bcc55-20240626.1.src.tar.gz.sha256", PGPSignatureURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af253/go1.23-90bcc55-20240626.1.src.tar.gz.sig", + ASCSignatureURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af254/go1.23-90bcc55-20240626.1.src.tar.gz.asc", }, }, GoSrcURL: "https://download.visualstudio.microsoft.com/download/pr/8330ba2b/3b32d/go1.23-90bcc55-20240626.1.src.tar.gz", diff --git a/cmd/releasego/main.go b/cmd/releasego/main.go index 6f2d5f53..77bca22d 100644 --- a/cmd/releasego/main.go +++ b/cmd/releasego/main.go @@ -47,6 +47,7 @@ func appendPathAndVerificationFilePaths(p []string, path string) []string { p = append(p, path, path+".sha256") if strings.HasSuffix(path, ".tar.gz") { p = append(p, path+".sig") + p = append(p, path+".asc") } return p } @@ -78,6 +79,13 @@ func appendReleaseURLs(urls []string, assets *buildassets.BuildAssets, assetJSON } else { urls = append(urls, a.PGPSignatureURL) } + if a.ASCSignatureURL == "" { + if strings.HasSuffix(a.URL, ".tar.gz") { + urls = append(urls, a.URL+".asc") + } + } else { + urls = append(urls, a.ASCSignatureURL) + } } if !addedSrc { // If there wasn't a source archive in the "arches" section, apply a URL suffix convention. diff --git a/cmd/releasego/testdata/Test_createLinkPairs/blob/aka.golden.txt b/cmd/releasego/testdata/Test_createLinkPairs/blob/aka.golden.txt index bb39b55e..9a82c531 100644 --- a/cmd/releasego/testdata/Test_createLinkPairs/blob/aka.golden.txt +++ b/cmd/releasego/testdata/Test_createLinkPairs/blob/aka.golden.txt @@ -1,21 +1,27 @@ testing/go1.17.linux-amd64.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz testing/go1.17.linux-amd64.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sha256 testing/go1.17.linux-amd64.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sig +testing/go1.17.linux-amd64.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.asc testing/go1.17.src.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz testing/go1.17.src.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sha256 testing/go1.17.src.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sig +testing/go1.17.src.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.asc testing/go1.17.assets.json -> https://example.org/golang/build/1234.10/assets.json testing/go1.17.7.linux-amd64.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz testing/go1.17.7.linux-amd64.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sha256 testing/go1.17.7.linux-amd64.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sig +testing/go1.17.7.linux-amd64.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.asc testing/go1.17.7.src.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz testing/go1.17.7.src.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sha256 testing/go1.17.7.src.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sig +testing/go1.17.7.src.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.asc testing/go1.17.7.assets.json -> https://example.org/golang/build/1234.10/assets.json testing/go1.17.7-1.linux-amd64.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz testing/go1.17.7-1.linux-amd64.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sha256 testing/go1.17.7-1.linux-amd64.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.sig +testing/go1.17.7-1.linux-amd64.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.linux-amd64.tar.gz.asc testing/go1.17.7-1.src.tar.gz -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz testing/go1.17.7-1.src.tar.gz.sha256 -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sha256 testing/go1.17.7-1.src.tar.gz.sig -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.sig +testing/go1.17.7-1.src.tar.gz.asc -> https://example.org/golang/build/1234.10/go.1234.10.src.tar.gz.asc testing/go1.17.7-1.assets.json -> https://example.org/golang/build/1234.10/assets.json diff --git a/cmd/releasego/testdata/Test_createLinkPairs/release_studio/aka.golden.txt b/cmd/releasego/testdata/Test_createLinkPairs/release_studio/aka.golden.txt index bae17559..4990344a 100644 --- a/cmd/releasego/testdata/Test_createLinkPairs/release_studio/aka.golden.txt +++ b/cmd/releasego/testdata/Test_createLinkPairs/release_studio/aka.golden.txt @@ -3,25 +3,31 @@ testing/go1.22.windows-amd64.zip.sha256 -> https://download.visualstudio.mi testing/go1.22.linux-amd64.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/333aa/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz testing/go1.22.linux-amd64.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/87654/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sha256 testing/go1.22.linux-amd64.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12345/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sig +testing/go1.22.linux-amd64.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12346/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.asc testing/go1.22.src.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/3b32d/go1.23-90bcc55-20240626.1.src.tar.gz testing/go1.22.src.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/66dda/go1.23-90bcc55-20240626.1.src.tar.gz.sha256 testing/go1.22.src.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af253/go1.23-90bcc55-20240626.1.src.tar.gz.sig +testing/go1.22.src.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af254/go1.23-90bcc55-20240626.1.src.tar.gz.asc testing/go1.22.assets.json -> https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/3df7/assets.json testing/go1.22.3.windows-amd64.zip -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/62f44/go1.23-90bcc55-20240626.1.windows-amd64.zip testing/go1.22.3.windows-amd64.zip.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/41bc5/go1.23-90bcc55-20240626.1.windows-amd64.zip.sha256 testing/go1.22.3.linux-amd64.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/333aa/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz testing/go1.22.3.linux-amd64.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/87654/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sha256 testing/go1.22.3.linux-amd64.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12345/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sig +testing/go1.22.3.linux-amd64.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12346/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.asc testing/go1.22.3.src.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/3b32d/go1.23-90bcc55-20240626.1.src.tar.gz testing/go1.22.3.src.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/66dda/go1.23-90bcc55-20240626.1.src.tar.gz.sha256 testing/go1.22.3.src.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af253/go1.23-90bcc55-20240626.1.src.tar.gz.sig +testing/go1.22.3.src.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af254/go1.23-90bcc55-20240626.1.src.tar.gz.asc testing/go1.22.3.assets.json -> https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/3df7/assets.json testing/go1.22.3-1.windows-amd64.zip -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/62f44/go1.23-90bcc55-20240626.1.windows-amd64.zip testing/go1.22.3-1.windows-amd64.zip.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/41bc5/go1.23-90bcc55-20240626.1.windows-amd64.zip.sha256 testing/go1.22.3-1.linux-amd64.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/333aa/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz testing/go1.22.3-1.linux-amd64.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/87654/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sha256 testing/go1.22.3-1.linux-amd64.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12345/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.sig +testing/go1.22.3-1.linux-amd64.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/12346/go1.23-90bcc55-20240626.1.linux-amd64.tar.gz.asc testing/go1.22.3-1.src.tar.gz -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/3b32d/go1.23-90bcc55-20240626.1.src.tar.gz testing/go1.22.3-1.src.tar.gz.sha256 -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/66dda/go1.23-90bcc55-20240626.1.src.tar.gz.sha256 testing/go1.22.3-1.src.tar.gz.sig -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af253/go1.23-90bcc55-20240626.1.src.tar.gz.sig +testing/go1.22.3-1.src.tar.gz.asc -> https://download.visualstudio.microsoft.com/download/pr/8330ba2b/af254/go1.23-90bcc55-20240626.1.src.tar.gz.asc testing/go1.22.3-1.assets.json -> https://download.visualstudio.microsoft.com/download/pr/1234-56-78-123456/3df7/assets.json From 189a6b343a671d8110b09585b09aa9f1fe86c186 Mon Sep 17 00:00:00 2001 From: George Adams Date: Wed, 8 Jul 2026 13:05:51 +0100 Subject: [PATCH 3/3] fix comments --- buildmodel/buildassets/buildassets.go | 8 ++++---- buildmodel/dockerversions/dockerversions.go | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/buildmodel/buildassets/buildassets.go b/buildmodel/buildassets/buildassets.go index aca3be98..b7a285ec 100644 --- a/buildmodel/buildassets/buildassets.go +++ b/buildmodel/buildassets/buildassets.go @@ -120,8 +120,8 @@ var ( archiveSuffixes = []string{".tar.gz", ".zip"} checksumSuffix = ".sha256" // signatureSuffixes are the extensions used to store signatures, in alphabetical order. Both - // formats are produced and shipped: ".asc" is an ASCII-armored PGP signature and ".sig" is its - // binary equivalent. + // hold identical content (the same PGP signature file); we publish it under both extensions so + // consumers can find it by whichever name they expect. Both are produced and shipped. signatureSuffixes = []string{".asc", ".sig"} ) @@ -249,7 +249,7 @@ func (b BuildResultsDirectoryInfo) CreateSummary() (*BuildAssets, error) { continue } - // Is it a .sig (binary PGP) signature file? + // Is it a .sig signature file? if sigName, ok := stringutil.CutSuffix(e.Name(), ".sig"); ok { a := getOrCreateArch(sigName) a.PGPSignatureURL, err = getURL(e.Name()) @@ -259,7 +259,7 @@ func (b BuildResultsDirectoryInfo) CreateSummary() (*BuildAssets, error) { continue } - // Is it a .asc (ASCII-armored PGP) signature file? + // Is it a .asc signature file? Identical content to .sig, published under both names. if ascName, ok := stringutil.CutSuffix(e.Name(), ".asc"); ok { a := getOrCreateArch(ascName) a.ASCSignatureURL, err = getURL(e.Name()) diff --git a/buildmodel/dockerversions/dockerversions.go b/buildmodel/dockerversions/dockerversions.go index 3d21c781..930ec1a4 100644 --- a/buildmodel/dockerversions/dockerversions.go +++ b/buildmodel/dockerversions/dockerversions.go @@ -85,13 +85,14 @@ type Arch struct { // If not specified, the file can be reached by appending ".sha256" to the URL. SHA256ChecksumURL string `json:"sha256ChecksumUrl,omitempty"` - // PGPSignatureURL is the URL of a binary PGP signature file (.sig) for this artifact, commonly + // PGPSignatureURL is the URL of a PGP signature file (.sig) for this artifact, commonly // verified using the "gpg" tool. // // If not specified, the file can be reached by appending ".sig" to the URL. PGPSignatureURL string `json:"pgpSignatureUrl,omitempty"` - // ASCSignatureURL is the URL of an ASCII-armored PGP signature file (.asc) for this artifact. + // ASCSignatureURL is the URL of a .asc copy of the PGP signature for this artifact. It holds + // identical content to the .sig file, published under the ".asc" name that some tools expect. // // If not specified, the file can be reached by appending ".asc" to the URL. ASCSignatureURL string `json:"ascSignatureUrl,omitempty"`