Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notirize application for macOS #92

Closed
oneslash opened this issue Dec 26, 2019 · 4 comments
Closed

Notirize application for macOS #92

oneslash opened this issue Dec 26, 2019 · 4 comments

Comments

@oneslash
Copy link
Contributor

oneslash commented Dec 26, 2019
edited
Loading

I think you need to Notarize application for macOS, otherwise it is not going to let users to run it.

Links:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

https://g3rv4.com/2019/06/bundling-signing-notarizing-go-application
@fho
Copy link
Collaborator

fho commented Jan 2, 2020

Thanks for the report.

I'm not very familiar with Apple + MacOS.
If I understand it right, either:

  • wehave to become a paid member of the Apple developer programs to get a certificate to sign the binaries or
  • the user has to confirm 1x that he wants to run the unsafe binary?

@oneslash
Copy link
Contributor Author

oneslash commented Jan 3, 2020

Yes, you would need a paid account, and second to answer, a user will see the message like here golang/go#34986 (comment) without a button to open the binary.

Currently the solution is to go to System Preferences -> Security & Privacy -> and Open it

However, I am not sure what Apple implement, it suppose to be launched Jan 2020

@fho
Copy link
Collaborator

fho commented Jan 6, 2020

@oneslash thanks for the information.
I'll evaluate internally if it's doable with reasonable effort to sign the MacOS.

@fho
Copy link
Collaborator

fho commented Jan 15, 2020

I got a bit more into the topic.
The component responsible for these security warning is Gatekeeper (https://en.wikipedia.org/wiki/Gatekeeper_(macOS)).
When files are downloaded via certain applications like Safari, the downloaded file is flagged with a quarantine flag.
When a file with this flag is opened, MacOS checks if it has a valid code signature, if not a warning is shown.
This only happens when the application that created the file adds the quarantine flag.
When files are downloaded via e.g. curl, the file is not flagged and no warning appears.

For now I won't notarize the baur applications:

  • Apple requires a paid subscription and does not offer support for non-profit/open-source applications to do the signature without costs,
  • it complicates the release process, I found some commandline tools that can be used in CI to simplify it though,
  • baur can still be used on Mac OS without notarization,
    baur is used on CI systems or developer laptops, the installation is done by experienced people who can cope with the signature warning.

@fho fho closed this as completed Jan 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fho @oneslash