When you install tsh from Homebrew today (using the teleport formula) you get the unsigned version of the regular tsh binary. This means Touch ID on the command line and Device trust will not work. This is a bad experience for end-users who are just trying to connect to a Teleport cluster from their Macs.
We should create and maintain an official Teleport Homebrew tap which ships the proper signed/notarized tsh.app, allowing easy updates and installation with working Touch ID/Device trust out of the box.
We should then update our download page and MacOS instructions to offer a frictionless experience to install or update tsh, teleport and other binaries on MacOS.
Hashicorp's Vagrant download page is super clean and simple, with a one-liner for using their tap on MacOS:
This will improve the MacOS end-user experience hugely, which is especially relevant for corporate customers who may ultimately need to enroll their Macs with Teleport device trust as part of a self-service onboarding process.
We can't stop Homebrew from shipping their own formula (and, according to policy, they won't remove their own formula in favour of our tap) but we can make using ours easier and more compelling. Homebrew is easily the most popular package manager for MacOS, so having a better supported flow for it is likely to help a large proportion of our MacOS users.
zmb3
commented
1 year ago
What would you like Teleport to do?
When you install
tshfrom Homebrew today (using theteleportformula) you get the unsigned version of the regulartshbinary. This means Touch ID on the command line and Device trust will not work. This is a bad experience for end-users who are just trying to connect to a Teleport cluster from their Macs.We should create and maintain an official Teleport Homebrew tap which ships the proper signed/notarized
tsh.app, allowing easy updates and installation with working Touch ID/Device trust out of the box.We should then update our download page and MacOS instructions to offer a frictionless experience to install or update
tsh,teleportand other binaries on MacOS.Hashicorp's Vagrant download page is super clean and simple, with a one-liner for using their tap on MacOS:
This will improve the MacOS end-user experience hugely, which is especially relevant for corporate customers who may ultimately need to enroll their Macs with Teleport device trust as part of a self-service onboarding process.
We can't stop Homebrew from shipping their own formula (and, according to policy, they won't remove their own formula in favour of our tap) but we can make using ours easier and more compelling. Homebrew is easily the most popular package manager for MacOS, so having a better supported flow for it is likely to help a large proportion of our MacOS users.
What problem does this solve?
Reduces fragmentation of the MacOS landscape.
If a workaround exists, please include it.
Nothing for Homebrew currently.
Related issues
https://github.com/gravitational/teleport/issues/14006