Notarization for MAC - Githubissues

aquaproj / aqua

Declarative CLI Version manager written in Go. Support Lazy Install, Registry, and continuous update with Renovate. CLI version is switched seamlessly

https://aquaproj.github.io

861 stars 39 forks source link

Notarization for MAC #1826

Open gedw99 opened 1 year ago

gedw99 commented 1 year ago

Feature Overview

Notarization for MAC

Why is the feature needed?

Mac users can not run pkg and binaries from others.

I would like to use aqua as a registry for delivering apps, and binaries to end users.

Doing it as part of CI, so that updates to the Registry of pkg and apps are supported.

I can provide examples if needed and happy to help with this.

Does the feature include Breaking Changes?

nope.

Example Code

https://github.com/anchore/quill

https://github.com/DelineaXPM/dsv-cli uses quill here: https://github.com/search?q=repo%3ADelineaXPM%2Fdsv-cli%20quill&type=code

suzuki-shunsuke commented 1 year ago

Thank you for your proposal. Could you explain more detail? Do you want aqua to verify the signature signed by quill? I'm not familiar with quill, so maybe I'm misunderstanding.

aqua doesn't sign packages. aqua just installs packages from datasources such as GitHub Releases, GitHub Contents, and any URL.

gedw99 commented 1 year ago

quill is just a golang package that does Apple Notarization. More info: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution

So when a normal user installs the binary via Aqua it will run without refusing to run and giving WARNINGS !

So i am proposing that we import quill into aqua so that we can automatically sign binaries for developers.

This can be part of the github registry process too, and can run in github CI, using quill.

Many use cases 👍

Some devs need to distribute binaries to end users. Often after they have distributed a PKG also !
Can use Aqua for PKG and MSI / winget also.
Can do late bound binary delivery.

Example usage to notarize a binary.

quill p12 attach-chain --keychain-path /Library/Keychains/System.keychain ./mycertificates.p12

gedw99 commented 1 year ago

There is a golang package that does all this for Windows also also btw ...

suzuki-shunsuke commented 1 year ago

In my understanding, signing (Notarization) should be done by each package's distributors (maintainers). For example, PKG file of AWS CLI should be signed by not us but AWS.

But actually many tools aren't signed, so macOS may block them.

https://github.com/aquaproj/aqua/issues/1059

So maybe we can prevent this issue by signing tools by aqua instead of distributors, but I'm not sure this is correct. We can also prevent this issue by allowing files in $AQUA_ROOT_DIR.

gedw99 commented 1 year ago

yes maybe like this …

The developer just puts in a secret for their signing keys.

aqua then uses it in CI on GitHub.

gedw99 commented 1 year ago

In https://github.com/DelineaXPM/dsv-cli/blob/65b3d98244b1d2f7cb5967b88b6e1c1eb2696610/.goreleaser.yaml#LL36-L46

there is lots of work …

it’s maybe better for aqua to import quill and do all that for the developer.

I presume aqua is running in the developers CI environment .