sign and notarize macOS builds

[tekumara]

When installing on macOS via brew:

brew install session-manager-plugin

On run the plugin errors with:

"session-manager-plugin" cannot be opened because the developer cannot be verified.

The workaround is to use --no-quarantine, eg:

brew reinstall session-manager-plugin --no-quarantine

However it would great if the binary were code signed and notarized so the above doesn't appear and to provide confidence to end-users.

[Yangtao-Hua]

Thank you for post this issue and sharing the workaround! Now the package support signing in MacOS can be download from: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html#install-plugin-macos-signed. But for customer version, as it is open source code can be manipulated, currently should using the workaround to install.

[hans-stripe]

Thanks for the update! I downloaded the latest package from the linked AWS page but the installed binary does not appear to be codesigned or notarized (and also does not appear to have been updated since December 2021). While the workaround bypasses the Gatekeeper warning, code signing and notarization is important for e.g. only allowing signed binaries to run. It'd be helpful for us to have a binary (not just the package) signed with the appropriate Apple developer ID.

$ ls -l /usr/local/sessionmanagerplugin/bin/session-manager-plugin
-rwxr-xr-x  1 root  wheel  11592944 Dec 16 16:46 /usr/local/sessionmanagerplugin/bin/session-manager-plugin
$ spctl -a -vvv /usr/local/sessionmanagerplugin/bin/session-manager-plugin
/usr/local/sessionmanagerplugin/bin/session-manager-plugin: rejected
source=no usable signature

[Yangtao-Hua]

Yeah, the package was signed but binary file not for now. Session manager team will record it as feature request, and update when it is planned.