Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion NORTH_STAR.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,8 @@ proof for another.
- Manual release evidence: from `apps/macos`,
`make manual-release-evidence-check`; the evidence must come from
`apps/macos/MANUAL_RELEASE_CHECKS.md` against the same Gatekeeper-accepted
DMG
DMG and must match its digest, commit, release tag, mounted app identity,
app version, app build, and executable digest
- Final app readiness audit: from `apps/macos`, `make north-star-audit`
- Website: Leptos/Cloudflare template checks, browser-visible proof, and live
download metadata verification after a real `apps/website` exists
Expand Down
10 changes: 6 additions & 4 deletions apps/macos/RELEASE_RUNBOOK.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,9 @@ After `make release-readiness` passes, perform every row in
`MANUAL_RELEASE_CHECKS.md` against the same Gatekeeper-accepted DMG. Record the
observed values using that file's evidence template.

Generate the starting evidence record from the current artifact so the commit
and DMG digest are not hand-copied:
Generate the starting evidence record from the current artifact so the commit,
DMG digest, mounted app identity, app version, app build, and executable SHA-256
are not hand-copied:

```bash
make manual-release-evidence-template RELEASE_TAG="<stable tag>" > ReleaseEvidence/manual-release-evidence.txt
Expand All @@ -91,8 +92,9 @@ Then verify the evidence is complete and bound to the artifact:
make manual-release-evidence-check MANUAL_EVIDENCE="<completed evidence file>"
```

The evidence check compares the recorded commit and DMG SHA-256 to the local
artifact under assessment.
The evidence check compares the recorded commit, release tag, DMG filename,
DMG SHA-256, mounted app bundle ID, app version, app build, and executable

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Inconsistent terminology - "mounted app bundle ID" should be "mounted app identity" to match the addition above and NORTH_STAR.md

Suggested change
DMG SHA-256, mounted app bundle ID, app version, app build, and executable
DMG SHA-256, mounted app identity, app version, app build, and executable

SHA-256 to the local artifact under assessment.

## Final Audit

Expand Down
3 changes: 3 additions & 0 deletions apps/macos/Tests/PointerDesignerTests/IdentityTests.swift
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,9 @@ final class IdentityTests: XCTestCase {
XCTAssertTrue(runbook.contains("make release-readiness"))
XCTAssertTrue(runbook.contains("make manual-release-evidence-template"))
XCTAssertTrue(runbook.contains("make manual-release-evidence-check"))
XCTAssertTrue(runbook.contains("mounted app identity"))
XCTAssertTrue(runbook.contains("release tag"))
XCTAssertTrue(runbook.contains("executable SHA-256"))
XCTAssertTrue(runbook.contains("make north-star-audit"))
XCTAssertTrue(runbook.contains("MANUAL_RELEASE_CHECKS.md"))
XCTAssertTrue(runbook.contains("stable GitHub release"))
Expand Down
Loading