alexeagle
commented
2 years ago @keith helped me investigate.
https://developer.apple.com/programs/ is where we would have to start, which is a big process. Then there's yearly maintenance on certs. https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions says how to wire into GH Actions.
HOWEVER Bazel and Bazelisk both have the same problem, so we maybe just do the same as they do and not codesign/notarize our app. Instead we can have users run curl to get the binary (avoids setting the bits in the xattr) or make a homebrew formula and recommend installing that way.
Debugging notes:
# show the bits
xattr -l path/to/bin
# clear the warning about malicious software
xattr -c pth/to/bin
% xattr -l ~/Downloads/aspect-darwin_amd64
com.apple.macl:
00000000 03 00 DF 9A CF 5F 7A E6 45 F1 A5 B5 6A 2F 0B 56 |....._z.E...j/.V|
00000010 06 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |.`..............|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 |........|
00000048
com.apple.quarantine: 0002;6172e336;Slack;2DCCD7AA-6E7E-4820-956D-FC5339715921
% codesign -dvvv ~/Downloads/bazelisk-darwin-amd64
/Users/ksmiley/Downloads/bazelisk-darwin-amd64: code object is not signed at all
% spctl -a -vvv -t install ~/Downloads/bazelisk-darwin-amd64
/Users/ksmiley/Downloads/bazelisk-darwin-amd64: rejected
source=no usable signature
Otherwise you get the security error from the OS and have to go to the System Preferences -> Security tab to manually allow it.