macOS codesign releases

[psifertex]

Summary

Please consider code signing releases as it will make execution on Windows and MacOS easier:

Motivation

I considered filing this as a bug but since there's a straight-forward work-around (approving the executable in System Preferences / Security & Privacy) it's probably more of a feature request.

Related: Should document the work-around in the installation instructions. I'll file a separate PR for that.

Describe alternatives you've considered

Not doing anything is fine, it just makes usage more difficult.

[williballenthin]

here's how to codesign a binary produced by PyInstaller: https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OSX-Code-Signing

here's how to import a cert via GH actions: https://github.com/marketplace/actions/import-code-signing-certificates

[williballenthin]

probably should do this after #178 (nightly builds via gh actions) so the builds are automated, rather than point and click.

@Ana06 this issue is probably yours, since me/moritz don't have a mac. Let me know if this won't work and I'll ...ask FEYE for a macbook? :-D

[Ana06]

@williballenthin

Let me know if this won't work and I'll ...ask FEYE for a macbook? :-D

You can use macos in GitHub Actions. It is cheaper than a macbook 😆

Should I do this with the current binary already or we just do it in GitHub Actions for the next version? We may want to release a new version with https://github.com/fireeye/capa/pull/180 soon anyway... 🤔

[Ana06]

I tried out the signing. It is not difficult and I think it should work in GitHub Actions as well. But I think we should get a Signing Identity and I am not sure how to do this. There is documentation about it here: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html