Signing

[gedw99]

Overview

Mac pkgs sometimes need to be signed and not all are.

the call is:

productsign --timestamp --sign "Developer ID Installer: YOUR NAME (TEAM_ID)" /path/to/unsigned.pkg /path/to/signed.pkg

They is a way to do this such that the certs do NOT need to be in a Mac Keychain also, which would be needed.

Why is the proposal needed?

to sign pkgs..

Reference

• Support unarchiving .PKG format for macOS #1803 (comment)
• Notarization for MAC #1826

[suzuki-shunsuke]

Thank you for your proposal.
And sorry for confusing but I think the category Feature Request is better.
Proposal is a category for a proposal except Feature Request.
Please keep in mind for the next time.

[suzuki-shunsuke]

BTW, I have a question about Homebrew.
In my understanding, we can execute tools installed by Homebrew without issue.
Is this because Homebrew signs tools?
I think this question may be related to this proposal.

[gedw99]

yes homebrew compiles and signs it is my understanding.

but check it ...

[suzuki-shunsuke]

I see.
I can't find the reference about it, so I'll really appreciate if you can find. 🙇‍♂️

[gedw99]

https://docs.brew.sh/FAQ#why-cant-i-open-a-mac-app-from-an-unidentified-developer

its not quite what we want but its all i could find.

[gedw99]

if its not signed it wont run unless the developer has allows it

https://support.apple.com/en-us/HT202491

because most devs have this setting for "unidentifed" devs, then home brew apps work.

so without turning off security at the Mac OS preferences level the app wont run.

hence why signing is needed.

Beps code does it btw... Its quote well done

[suzuki-shunsuke]

Thank you for sharing some reference.

[suzuki-shunsuke]

Hmm. I can't understand why aqua works without trouble.
At least aqua works well in my macOS.
And if aqua doesn't work well unless users do settings for security, some users should report the issue, but I haven't received the report. 🤔

[suzuki-shunsuke]

And I wonder if it is correct for aqua to sign tools because aqua can't verify if the package is safe.
I'm afraid aqua may sign and allow malware.
I'm wondering if sign by aqua has meaning in terms of security. 🤔

[gedw99]

Yeah I know what you mean.

aqua should NOT be signing on others behalf.

It’s all down to Providence . Whi signs and who is the custodian of the signing. Who do you trust…

I honestly am stumped because I think different users want different things.

Also Apple is the only one that demands signing , really it should by the code authour signing it by putting their keys ( p12) into their CI.
aqua is just a custodian of the process in that Aqua provides the mechanisms.

If Aqua gets code or s binary from sone git then it should ask the authour to sign it. Like a CI error message.

if the authour does not care then delivery the binary through aqua and let the users have a mechanism via Aqua to yell at the authour. Aqua can keep sone data about how many are yelling and so the authour can decide if it’s worth going to the effort of signing .

that’s my brain storm on this.

apple wants a “ throat to choke” and that’s why it’s signing “ chain of trust” is designed to point back to a real human or company.
kind of like how Facebook or Twitter tried to enforce Real People accounts.

Dun and Bradstreet is one of the chains of trust apple uses for companies for example.

For people it’s their passport or whatever.

https://developer.apple.com/support/D-U-N-S/

so suggest that the pushing of gnudges back to the authour is practical solution to the ecosystem that Apple insists on ..