# Generate Signed Sparkle Appcasts

Publishing Mos releases requires a valid Sparkle appcast, signed zip metadata, and hosted release notes. This skill automates those files from the latest build zip, git history, and Sparkle signing key.

## Install

```bash
npx skillstore add caldis/generate-sparkle-appcast
```

## Metadata

- - Slug: caldis-generate-sparkle-appcast
- - Version: 1.0.0
- - Author: Caldis
- - GitHub username: Caldis
- - License: MIT
- - Repository: https://github.com/Caldis/Mos/tree/master/.codex/skills/generate-sparkle-appcast
- - Ref: master
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: scripts, network, filesystem, env\_access, external\_commands
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/caldis-generate-sparkle-appcast
- - Manifest: https://skillstore.pages.dev/api/skills/caldis-generate-sparkle-appcast/manifest

## Capabilities

- Finds the newest Mos release zip in the build directory.
- Parses version, beta flag, date, and build number from the zip filename.
- Reads Info.plist from the app bundle inside the zip.
- Generates Chinese and English release notes from recent git commits.
- Creates a Sparkle appcast.xml with download URL, size, version data, and Ed25519 signature.
- Copies appcast and release note files into docs for publication.

## Use Cases

- Ship a Stable Mos Release: Generate the appcast and hosted release notes after creating a notarized stable zip.
- Publish a Beta Update Channel: Create appcast metadata that marks a beta build with the Sparkle beta channel.
- Prepare Local Release Artifacts: Produce files for review before committing docs updates or publishing a GitHub release.

## Prompt Templates

### Generate From Last Release

```
Use the generate-sparkle-appcast skill to create the Mos appcast using --since <previous-release-commit>. Show me the generated file paths and any errors.
```

### Check Release Inputs

```
Before running the appcast script, verify that build, docs, the latest Mos zip, git, python3, openssl, and sparkle_private_key.txt are available.
```

### Review Generated Notes

```
Generate the appcast, then summarize the Chinese and English release notes that were written for this tag.
```

### Audit Release Metadata

```
Run the appcast workflow for the selected commit range, then verify the tag, download URL, version fields, file length, release notes links, and Ed25519 signature fields.
```

## Limitations

- Designed specifically for the Caldis Mos repository layout and filename pattern.
- Requires local git, python3, openssl, build, docs, and Sparkle key files.
- Does not upload releases or verify that GitHub assets already exist.
- Handles private signing material, so it should run only in trusted environments.

## Best Practices

- Run the script only on a trusted release machine with restricted access to the signing key.
- Review generated release notes and appcast metadata before committing docs changes.
- Re-run the script whenever the zip is rebuilt, repacked, or re-signed.

## Anti Patterns

- Do not run the script with an untrusted Sparkle private key file.
- Do not publish the generated appcast before confirming the GitHub release tag and asset name.
- Do not use this workflow for repositories that do not match the Mos build and docs layout.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T19:48:30.133\+00:00
- - Summary: Static analysis found many command, filesystem, network, environment, and sensitive-key patterns. Review confirms the script is a plausible release automation tool, but it handles a Sparkle private signing key and writes temporary key material, so publication should include a clear security warning.

## Stats

- - Views: 195
- - Downloads: 4
- - Favorites: 0
- - Popularity score: 0
