jpkrohling
commented
1 day ago I think there might be other related issues, especially around the main Collector binaries as well. While this sounds like a good idea, I don't think we have the means to pay for this yearly fee, and the benefits seem small for us: I believe our users are savvy enough to get their binaries from trusted sources and allow an exception for this binary. For automated usage in servers or CI/CD, I believe we provide attestations, which can be used to ensure the binary comes from us.
Unless a maintainer commits to maintaining this specific part, like we do for Windows (thanks @pjanotti!), I'd rather not have this.
Currently, the macOS opentelemetry collector builder (ocb) binary is not signed with an Apple Developer account. This adds another layer of friction to running the binary on current MacOS systems, as a security/malicious software popup requires heading to settings to override it.
OCB is released with GoReleaser; it currently supports notarizing/signing MacOS binaries using
anchore/quill: https://goreleaser.com/customization/notarize/This would require having an OpenTelemetry Apple account and paying the fee per year, of course. Thought it might be worthwhile discussing adding this feature to make ocb easier to use. Thanks.