Code signatures: Unsigned binaries, duplicate identifiers, missing identifier prefix

droe commented 5 years ago

[x] I have tried with the latest version of my channel (Stable or Edge) - 18.06.1-ce-mac73
~~[ ] I have uploaded Diagnostics~~ - irrelevant to the issue
Diagnostics ID:

Expected behavior

All MachO binaries are signed.
Each MachO binary has a different identifier with the common prefix com.docker..

Actual behavior

Not all MachO binaries are signed (i.e. Docker.app/Contents/Resources/bin/notary)
There are duplicate identifiers (i.e. com.docker)
There are many identifiers without prefix (e.g. kubectl instead of com.docker.kubectl)

These problems lead to various (mostly minor) issues with software inventory, application deployment, personal firewalls, binary whitelisting and security monitoring systems that cannot tell the different binaries apart based on the identifier embedded in the code signature.

Information

macOS Version: all

Diagnostic logs

% ls /Applications/Docker.app/Contents/MacOS/   
Docker*                        com.docker.osxfs*
com.docker.diagnose*           com.docker.supervisor*
com.docker.driver.amd64-linux* qcow-tool*
com.docker.neutralize*
% codesign -d -vvvv /Applications/Docker.app/Contents/MacOS/* 2>&1|grep ^Ident
Identifier=com.docker.docker
Identifier=com.docker
Identifier=com.docker.driver.amd64-linux
Identifier=com.docker
Identifier=com.docker
Identifier=com.docker.supervisor
Identifier=qcow-tool
% ls /Applications/Docker.app/Contents/Resources/bin                                
com.docker.hyperkit*           docker-credential-osxkeychain*
com.docker.vpnkit*             docker-machine*
docker*                        kubectl*
docker-compose*                notary*
% codesign -d -vvvv /Applications/Docker.app/Contents/Resources/bin/* 2>&1 |grep ^Ident
Identifier=com.docker
Identifier=com.docker
Identifier=docker
Identifier=docker-compose
Identifier=docker-credential-osxkeychain
Identifier=docker-machine
Identifier=kubectl

Steps to reproduce the behavior

Download and install docker on any macOS.
Use codesign -d -vvvv to inspect the code signature on each MachO binary.

docker-robott commented 5 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

droe commented 5 years ago

/remove-lifecycle stale

droe commented 5 years ago

/lifecycle frozen

droe commented 5 years ago

«I want my bug report timed out without anybody looking at it!» - no one ever

docker / for-mac