Code signing for installer package on Releases page.

[nlutsenko]

Hey guys,

I know this might sound a little bit off, but as we all are aware - the installer package from the releases page of Carthage is not signed with any certificate, meaning that a lot of people going to reject installation (including myself). You can call us tinfoil hat society! :grin:

Taking into account old discussion that happened in #142 and never went anywhere I might have few ideas how we can actually make this happen:

• Remove .pkg from the releases page. Sounds bad? But it's pretty much useless right now, since installing not signed packages is very scary (or at least I am afraid of it).
• Publish the explicit hash signature of the package at the time of release - this way we have a guarantee of no man-in-the-middle attack on this download.
• Place a donate button to get those $100 for yet another developer account (every has one, right?). I will personally donate some money just to keep the competition going here and continue making package managers happen...

Just trying to start a conversation, all thoughts are my own.

[mdiep]

Remove .pkg from the releases page. Sounds bad? But it's pretty much useless right now, since installing not signed packages is very scary (or at least I am afraid of it).

That's a no-go for me.

Publish the explicit hash signature of the package at the time of release - this way we have a guarantee of no man-in-the-middle attack on this download.

I don't mind doing this. What's the hash of choice to use for this nowadays?

Place a donate button to get those $100 for yet another developer account (every has one, right?). I will personally donate some money just to keep the competition going here and continue making package managers happen...

This is an option, but I'm not convinced that it's worth the time and money given that only 3 people have expressed an interested. :relaxed:

[nlutsenko]

I don't mind doing this. What's the hash of choice to use for this nowadays?

Sign it with GPG key using something like http://0install.net/ that's like the most secure option. Another one is to just SHA256 it, but that's still attackable.

Taking into account that we have a massive security trust, like Apple and Developer ID signed packages - I am not sure that's actually a bad option at this point.

Also, did you guys consider by any chance a script installer that will download + build + place in proper places the whole thing, but from source code? I would say that's a good alternative to having an unsigned .pkg.

[mdiep]

Also, did you guys consider by any chance a script installer that will download + build + place in proper places the whole thing, but from source code? I would say that's a good alternative to having an unsigned .pkg.

No, most people use Homebrew to install from source. But you can also build and install from the repo directly with make install.

[lilyball]

Surely someone involved in this project already has a developer account. I'm continually amazed every time I install a new version that it's still not code signed. It's frankly very embarrassing for you to publish a Mac-specific developer tool and not bother to code-sign it.

[mdiep]

That's funny. I don't feel embarrassed. 🤷🏼‍♂️

[louisdh]

My opinion: either sign the package for each release or don't provide it. Unsigned packages are bad practice since they somehow teach people that ignoring the macOS warnings (or, even worse, disabling the security setting) is acceptable. It is not.

[MiMo42]

@louisdh +1

[ikesyo]

Switching to the the product of SwiftPM build and removing pkg releases may be good.

Ref: #1559