get mac horizon-cli package signed with an identified developer by Apple

[linggao]

Currently the mac horizon-cli package signed by us are not with the standard singing process for Mac. It can be installed though on Mac with the following command line process:

# add certificate to your Mac's keychain. You only need to do it once.
wget http://pkg.bluehorizon.network/macos/certs/horizon-cli.crt 
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain horizon-cli.crt

# download the package and install it
wget http://pkg.bluehorizon.network/macos/horizon-cli-2.22.6.pkg
sudo installer -pkg horizon-cli-2.22.6.pkg -target /

However if the package is downloaded from a browser and the user double click on the file from Finder, a warning sign will come up saying "horizon-cli-.pkg" can't be opened because it is from an unidentified developer". This is because the browser adds a "quarantine" attribute to the file after it is downloaded. For example:

ls -@l horizon-cli-2.22.6-url.pkg 
-rw-r--r--@ 1 glendarling  staff  5270584 Mar 13 07:04 /Users/me/Downloads/horizon-cli-2.22.6-url.pkg
        com.apple.metadata:kMDItemWhereFroms        117 
        com.apple.quarantine         57 

The Gatekeeper gives the warning when it is invoked even if we have put the cert file in the keychain.

We need to use the standard Apple signing process to sign the package so that no warning will be given.

[linggao]

Important doc to reference: https://developer.apple.com/library/archive/technotes/tn2206/_index.html