microsoft · gdams · Jun 4, 2026 · Jun 4, 2026 · dagood · Jun 4, 2026
@@ -16,6 +16,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 )
 
@@ -94,8 +95,22 @@ func (a *archive) latestPath() string {
 	return a.path
 }
 
-func (a *archive) sigPath() string {
-	return filepath.Join(a.workDir, a.name+".sig")
+// legacySigNeeded reports whether this archive needs a legacy .sig file
+// in addition to the .asc file, for backward compatibility with go1.26 and earlier.
+func (a *archive) legacySigNeeded() bool {
+	// Archive names look like "go1.27.linux-amd64.tar.gz" or "go1.26.3.src.tar.gz".
+	if after, ok := strings.CutPrefix(a.name, "go1."); ok {
+		if dot := strings.IndexByte(after, '.'); dot > 0 {
+			if minor, err := strconv.Atoi(after[:dot]); err == nil && minor <= 26 {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (a *archive) ascPath() string {
+	return filepath.Join(a.workDir, a.name+".asc")
 }
 
 func (a *archive) macHardenPackPath() string {
@@ -428,18 +443,18 @@ func (a *archive) prepareArchiveSignatures(ctx context.Context) ([]*fileToSign,
 	if err := ctx.Err(); err != nil {
 		return nil, err
 	}
-	// Copy the archive file to have .sig suffix, e.g. "tar.gz" to "tar.gz.sig". The signing
-	// process sends the "tar.gz.sig" file to get a signature, then replaces the "tar.gz.sig"
-	// file's content in-place with the result. We need to preemptively make a renamed copy of the
-	// file so we end up with both the original file and sig on the machine.
-	log.Printf("Copying file for signature generation: %q -> %q", a.latestPath(), a.sigPath())
-	if err := copyFile(a.sigPath(), a.latestPath()); err != nil {
+	// Copy the archive file with an ".asc" suffix. The signing process sends this file to get a
+	// signature, then replaces its content in-place with the result. We need to preemptively make
+	// a renamed copy of the file so we end up with both the original file and signature on the
+	// machine.
+	log.Printf("Copying file for signature generation: %q -> %q", a.latestPath(), a.ascPath())
+	if err := copyFile(a.ascPath(), a.latestPath()); err != nil {
 		return nil, err
 	}
 	return []*fileToSign{
 		{
 			originalPath: a.path,
-			fullPath:     a.sigPath(),
+			fullPath:     a.ascPath(),
 			authenticode: "LinuxSignManagedLanguageCompiler",
 		},
 	}, nil
@@ -458,9 +473,15 @@ func (a *archive) copyToDestination(ctx context.Context) error {
 	if err := copyFile(filepath.Join(*destinationDir, a.name), a.latestPath()); err != nil {
 		return err
 	}
-	if err := copyFile(filepath.Join(*destinationDir, a.name+".sig"), a.sigPath()); err != nil {
+	if err := copyFile(filepath.Join(*destinationDir, a.name+".asc"), a.ascPath()); err != nil {
 		return err
 	}
+	// For go1.26 and earlier, also produce a .sig file for backward compatibility.
+	if a.legacySigNeeded() {
+		if err := copyFile(filepath.Join(*destinationDir, a.name+".sig"), a.ascPath()); err != nil {
+			return err
+		}
+	}
 	return nil
 }
 

@@ -253,7 +253,7 @@ func sign(ctx context.Context, step string, files []*fileToSign) error {
 	if *signType == "test" {
 		log.Printf("Testing signing: skipping MicroBuild tooling.")
 		for _, f := range files {
-			if strings.HasSuffix(f.fullPath, ".sig") {
+			if strings.HasSuffix(f.fullPath, ".sig") || strings.HasSuffix(f.fullPath, ".asc") {
 				log.Printf("Replacing file with placeholder content to reduce size and simulate signature: %q", f.fullPath)
 				// Get a checksum to make the file content unique. Otherwise,
 				// publishing rejects the repeated file content.

@@ -135,7 +135,7 @@ func filename(version, platform, ext string) string {
 const (
 	checksumSuffix  = ".sha256"
 	checksumMsg     = "Checksum (SHA256)"
-	signatureSuffix = ".sig"
+	signatureSuffix = ".asc"
 	signatureMsg    = "Signature<sup>1</sup>"
 )