Sign macOS release binaries

[hrls]

[hrls]

Managing certificates is only available for developers enrolled in a developer program or members of an organization’s team in a developer program.

[ales-tsurko]

for now we can use self-signed certificates, it's a known story for macOS users to reopen an app via the security settings.

[hrls]

Does a self-signed certificate bypass the need to allow in settings to run binary from the release archive? If not, then from a user experience perspective it is the same as an unsigned one .

[hrls]

It was also found that the binary from the release archive does not have the executable flag. Yes, it's as simple as chmod +x … but involves extra command.

[ales-tsurko]

Does a self-signed certificate bypass the need to allow in settings to run binary from the release archive? If not, then from a user experience perspective it is the same as an unsigned one .

Yes, you should run it via the security settings. You can't run unsigned binary at all.

[hrls]

You can't run unsigned binary at all

Actually you can. It's almost the same flow but with some another hidden button named Allow anyway … or so.

[ales-tsurko]

Ok, code signing is very confusing. Looks like there are two things: ad-hoc signing and notarization. You can't run a binary without both at all, but you can run it via the settings in case of ad-hoc signing without the notarization. And when it's built on macOS ARM, it's ad-hoc by default. Issues happen in case of cross-compilation, and we had one similar recently until we self-signed the binary.

[hrls]

https://docs.github.com/en/actions/use-cases-and-examples/deploying/installing-an-apple-certificate-on-macos-runners-for-xcode-development