Closed benarent closed 2 years ago
If we're just sending the tsh
and tctl
binaries from the Teleport image then yes, they won't be signed. Where are they being sourced from?
We are recommending https://get.gravitational.com/teleport-ent-v5.0.0-rc.1-darwin-amd64-bin.tar.gz
as we need the Enterprise version of tctl
. Maybe the easiest would be to add tctl
to our signed pkg.
This is a little more complicated because we only have one tsh
package for both OSS and Enterprise, but there are separate versions of tctl
for each. I can see two solutions:
Just bundle Enterprise tctl
into the current tsh
package and sign it.
Pros:
Cons:
tsh.pkg
which is a little misleadingtctl
binary without realising then weird things could happen (it might try to add role
objects when the backend doesn't support them, would likely just result in very weird errors)Create two new packages (maybe called teleport-clients
) - one that contains tsh
and tctl
OSS, and one that contains tsh
and tctl
Enterprise. Add these as downloads, sign them, notarize them and put them up for download in Houston. Decide whether to keep the existing tsh
package or just retire it in favour of the new one.
Pros:
Cons:
Given that we're planning on open sourcing RBAC in Teleport OSS at some point then maybe bundling the tctl
binary until that happens isn't a huge problem.
We can fix this starting in Go 1.16.
I think this has been fixed. @hatched was this one of the download links you updated a couple months ago?
I think this has been fixed
Yes. I 99% sure this is fixed.
Yep fixed!
Description
What happened:
What you expected to happen: We'll need to sign
tctl
as we are recommending using this on the client.