Open arielelkin opened 2 years ago
Closing this. If this is still relevant please reopen.
@Jimbo4350 I think this issue is still relevant, but I don't have the ability to reopen. Could you please reopen?
I've asked for input from @newhoggy
Reproduced on this download: https://hydra.iohk.io/build/17428186
This is the current situation:
We only sign Mac binaries in Daedalus. Signing and notarization isn't part of the normal CI. That could potentially change with our new CI build system, but don't expect it anytime soon.
What's your rationale for not signing Mac binaries?
Signing is easy, automation of notarization is a bear, and upstream apple keeps breaking our process (for Daedalus signing) that usually halts the release process for weeks waiting for legal sign off for new license agreements, or a forced upgrade to a new version of osx because Xcode needs upgraded, etc... Windows is just as much a pain being connected to an HSM that needs manually touched every few weeks. Because the automation around signing windows and Mac binaries is so complicated we only do it with Daedalus releases at the moment. If everyone would just adopt regular pgp signatures across all platforms my life would be a lot easier...
@disassembler if you have signing set up, notarization is just these two commands:
xcrun notarytool submit $PATH_TO_SIGNED_BINARY \
--apple-id $IOG_APPLEID \
--password $IOG_APPLEID_PASSWORD \
--team-id $IOG_TEAMID \
--progress \
--wait
xcrun stapler staple $PATH_TO_SIGNED_BINARY
Have you tried adding that to your CI pipeline?
Internal/External External otherwise.
Area Other Any other topic (Delegation, Ranking, ...).
Summary Trying to open any of the macOS binaries results in this error message:
System info (please complete the following information):
Additional context None of the macOS binaries work out of the box as they and their associated dylibs haven't been codesigned, which results in macOS's Gatekeeper preventing their execution and showing an error message
X can’t be opened because it is from an unidentified developer
Having to sudo, or right-click open, or changing Security settings on an ad-hoc basis for every single binary and dylib is not a viable solution. It's not aligned with platform standards, it's not user-friendly, and it's an unnecessary hurdle for novice programmers.
Also see https://github.com/input-output-hk/cardano-wallet/issues/2966