Download link from new wizard isn't signed.

[benarent]

Description

What happened:

What you expected to happen: We'll need to sign tctl as we are recommending using this on the client.

[webvictim]

If we're just sending the tsh and tctl binaries from the Teleport image then yes, they won't be signed. Where are they being sourced from?

[benarent]

We are recommending https://get.gravitational.com/teleport-ent-v5.0.0-rc.1-darwin-amd64-bin.tar.gz as we need the Enterprise version of tctl. Maybe the easiest would be to add tctl to our signed pkg.

[webvictim]

This is a little more complicated because we only have one tsh package for both OSS and Enterprise, but there are separate versions of tctl for each. I can see two solutions:

Option 1

Just bundle Enterprise tctl into the current tsh package and sign it.

Pros:

• people who want it for this purpose will be satisfied
• doesn't need any big changes, very simple to do

Cons:

• the package will still be called tsh.pkg which is a little misleading
• people who install the package will get an extra binary they didn't expect
• if OSS users try to use the Enterprise tctl binary without realising then weird things could happen (it might try to add role objects when the backend doesn't support them, would likely just result in very weird errors)

Option 2

Create two new packages (maybe called teleport-clients) - one that contains tsh and tctl OSS, and one that contains tsh and tctl Enterprise. Add these as downloads, sign them, notarize them and put them up for download in Houston. Decide whether to keep the existing tsh package or just retire it in favour of the new one.

Pros:

• explicit and clear, nobody will get caught out
• names are more "correct"

Cons:

• much more work
• makes download page a bit untidier

Given that we're planning on open sourcing RBAC in Teleport OSS at some point then maybe bundling the tctl binary until that happens isn't a huge problem.

[russjones]

We can fix this starting in Go 1.16.

https://github.com/golang/go/milestone/145

[zmb3]

I think this has been fixed. @hatched was this one of the download links you updated a couple months ago?

[benarent]

I think this has been fixed

Yes. I 99% sure this is fixed.

[hatched]

Yep fixed!