Change PGP signature file extension from .sig to .asc#2348
Conversation
Align with upstream Go's convention of using .asc for detached PGP signature files. Fixes #181. - sign tool: Always produce .asc, additionally produce .sig for go1.26 and earlier for backward compatibility - sign tool: Test mode handles both .asc and .sig files - updatelinktable: Use .asc as signature suffix for all versions
There was a problem hiding this comment.
Pull request overview
This PR updates Microsoft Go’s release tooling to use .asc as the detached PGP signature file extension (matching upstream Go), while keeping .sig available for older toolchains/artifacts for backward compatibility.
Changes:
- Update
updatelinktableto generate signature links ending in.asc. - Update
signtool test mode to treat both.ascand.sigas signature files. - Update
signtool archive signing to generate.ascsignatures and optionally emit a legacy.sigcopy for older releases.
Show a summary per file
| File | Description |
|---|---|
| eng/_util/cmd/updatelinktable/updatelinktable.go | Switch signature URL suffix from .sig to .asc when generating download/link tables. |
| eng/_util/cmd/sign/sign.go | In test signing mode, treat both .sig and .asc outputs as signature placeholders. |
| eng/_util/cmd/sign/archive.go | Generate .asc signature artifacts and conditionally also produce legacy .sig copies. |
Copilot's findings
- Files reviewed: 3/3 changed files
- Comments generated: 1
| // Archive names look like "go1.27.linux-amd64.tar.gz" or "go1.26.3.src.tar.gz". | ||
| if after, ok := strings.CutPrefix(a.name, "go1."); ok { | ||
| if dot := strings.IndexByte(after, '.'); dot > 0 { | ||
| if minor, err := strconv.Atoi(after[:dot]); err == nil && minor <= 26 { |
There was a problem hiding this comment.
We're in microsoft/go, so we know what version we're building based on what branch we're in. It isn't necessary to parse the version, and simplifying it leaves the intent clearer.
| func (a *archive) sigPath() string { | ||
| return filepath.Join(a.workDir, a.name+".sig") | ||
| // legacySigNeeded reports whether this archive needs a legacy .sig file | ||
| // in addition to the .asc file, for backward compatibility with go1.26 and earlier. |
There was a problem hiding this comment.
So the plan here is to break it in 1.27? Note that this breaks download tools, not only individual users' workflows. I don't think we should do this break, especially without already establishing simultaneous publishing for a while to allow for time to move.
There was a problem hiding this comment.
To be clear: I think that publishing both .sig and .asc makes sense. We can then use .asc in our own infra to reduce patching. I don't know if it ever makes sense to stop publishing .sig, though.
.sig is actually a more intuitive extension to slap on our download URLs to get a signature. It might actually be better to treat .asc as a "compatibility" signature, not even the main one.
Users of Go don't even necessarily know about .asc from upstream (my old note on #181):
If I knew Go provided
.ascfiles, I would have followed the naming, but they aren't advertised on the download page. I found out about them because the official golang Dockerfiles use the.ascfiles to verify the download.
Align with upstream Go's convention of using
.ascfor detached PGP signature files.Fixes #181
The sign tool now always produces
.ascfiles and additionally produces.sigfor go1.26 and earlier for backward compatibility.Changes
.asc, plus legacy.sigcopy for ≤1.26.ascand.sigfiles.ascas signature suffix for all versions (takes effect when regenerated for a future release)Companion PR