Skip to content

Ship .asc signature alongside .sig#2348

Open
gdams wants to merge 1 commit into
microsoft/mainfrom
dev/gadams/sig
Open

Ship .asc signature alongside .sig#2348
gdams wants to merge 1 commit into
microsoft/mainfrom
dev/gadams/sig

Conversation

@gdams

@gdams gdams commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Member

Ship an .asc PGP signature file alongside the existing .sig for every archive. The .sig remains the default/primary extension; .asc is produced in parallel for compatibility with upstream Go tooling (e.g. official Dockerfiles).

Fixes #181

Changes

  • sign tool (archive.go): Produce .sig via signing, then copy both .sig and .asc to the destination directory
  • sign tool (sign.go): Test mode handles .sig signature files
  • updatelinktable: No change (.sig remains the advertised suffix)

Companion PR

@gdams gdams requested a review from a team as a code owner June 4, 2026 14:32
Copilot AI review requested due to automatic review settings June 4, 2026 14:32
Copilot AI reviewed Jun 4, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Microsoft Go’s release tooling to use .asc as the detached PGP signature file extension (matching upstream Go), while keeping .sig available for older toolchains/artifacts for backward compatibility.

Changes:

  • Update updatelinktable to generate signature links ending in .asc.
  • Update sign tool test mode to treat both .asc and .sig as signature files.
  • Update sign tool archive signing to generate .asc signatures and optionally emit a legacy .sig copy for older releases.
Show a summary per file
File Description
eng/_util/cmd/updatelinktable/updatelinktable.go Switch signature URL suffix from .sig to .asc when generating download/link tables.
eng/_util/cmd/sign/sign.go In test signing mode, treat both .sig and .asc outputs as signature placeholders.
eng/_util/cmd/sign/archive.go Generate .asc signature artifacts and conditionally also produce legacy .sig copies.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Comment thread eng/_util/cmd/sign/archive.go Outdated
@gdams gdams force-pushed the dev/gadams/sig branch from a6a3989 to f453087 Compare June 4, 2026 14:52
dagood
dagood requested changes Jun 4, 2026
View reviewed changes
Comment thread eng/_util/cmd/sign/archive.go Outdated
// Archive names look like "go1.27.linux-amd64.tar.gz" or "go1.26.3.src.tar.gz".
if after, ok := strings.CutPrefix(a.name, "go1."); ok {
if dot := strings.IndexByte(after, '.'); dot > 0 {
if minor, err := strconv.Atoi(after[:dot]); err == nil && minor <= 26 {

@dagood dagood Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're in microsoft/go, so we know what version we're building based on what branch we're in. It isn't necessary to parse the version, and simplifying it leaves the intent clearer.

Comment thread eng/_util/cmd/sign/archive.go Outdated
func (a *archive) sigPath() string {
return filepath.Join(a.workDir, a.name+".sig")
// legacySigNeeded reports whether this archive needs a legacy .sig file
// in addition to the .asc file, for backward compatibility with go1.26 and earlier.

@dagood dagood Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the plan here is to break it in 1.27? Note that this breaks download tools, not only individual users' workflows. I don't think we should do this break, especially without already establishing simultaneous publishing for a while to allow for time to move.

@dagood dagood Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be clear: I think that publishing both .sig and .asc makes sense. We can then use .asc in our own infra to reduce patching. I don't know if it ever makes sense to stop publishing .sig, though.

.sig is actually a more intuitive extension to slap on our download URLs to get a signature. It might actually be better to treat .asc as a "compatibility" signature, not even the main one.

Users of Go don't even necessarily know about .asc from upstream (my old note on #181):

If I knew Go provided .asc files, I would have followed the naming, but they aren't advertised on the download page. I found out about them because the official golang Dockerfiles use the .asc files to verify the download.

@gdams gdams Jun 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed — I've switched this around. .sig stays the default/primary extension and we now ship .asc alongside it for all versions. No version-gating, no breaking change. The companion go-infra PR is updated to match.

@dagood dagood mentioned this pull request Jun 4, 2026
Open
@gdams gdams changed the title Change PGP signature file extension from .sig to .asc Ship .asc signature alongside .sig Jun 12, 2026
@gdams gdams mentioned this pull request Jun 12, 2026
Open
@gdams
Ship .asc signature alongside .sig
317f7d6 
Produce an .asc PGP signature file alongside the existing .sig for every
tar.gz archive. The .sig remains the default/primary extension; .asc is
shipped in parallel for compatibility with upstream Go tooling (e.g.
official Dockerfiles).

Fixes #181
dagood
dagood requested changes Jun 12, 2026
View reviewed changes

@dagood dagood left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the comment, looks good.

Comment thread eng/_util/cmd/sign/archive.go
// process sends the "tar.gz.sig" file to get a signature, then replaces the "tar.gz.sig"
// file's content in-place with the result. We need to preemptively make a renamed copy of the
// file so we end up with both the original file and sig on the machine.
// Copy the archive file with a ".sig" suffix. The signing process sends this file to get a

@dagood dagood Jun 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change makes it ambiguous (there is no archive file with a .sig suffix--yet).

Suggested change
// Copy the archive file with a ".sig" suffix. The signing process sends this file to get a
// Copy the archive file and add a ".sig" suffix. The signing process sends this new file to get a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dagood dagood dagood requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rename .sig files to .asc: match upstream Go

3 participants

@gdams @dagood