Open ncw opened 1 month ago
kapitainsky
commented
1 month ago Whoever will work on this I suggest to use small macOS utility app - Apparency. It allows to see and validate all aspects of signing/notarization. Perfect for "debugging" results of this process.
rclone today:
And here example of some other cmd utility fully signed and notarized:
ncw
commented
1 month ago Thank you @kapitainsky very useful. I'll ping you when I have binaries to try (not fort a couple of weeks though)
nipil
commented
1 month ago The plan is to sign the binaries as part of the build process. We'll probably sign all beta and full releases.
Will other OS be included in this process ? Thanks in advance
kapitainsky
commented
1 month ago nipil
commented
1 month ago Microsoft has SignTool in its SDK, once you get a code signing certificate : https://learn.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-sign-a-file
AFAIK Linux does have an IMA ("integrity measurement architecture" https://sourceforge.net/p/linux-ima/wiki/Home/) and later EVM("extended verification module"), for use with DigSig API (https://docs.kernel.org/security/digsig.html and https://github.com/digsig-ng) and the keyctl user-space tool.
PS : I have no experience with any of them.
devnoname120
commented
3 weeks ago @nipil I've had some issues with the past with unsigned binaries on Windows 11: https://github.com/qwerty-fr/qwerty-fr/issues/63
It seems that code signing the binaries on macOS is becoming increasingly important.
We discussed this on the forum and some helpful tools were shown too
https://forum.rclone.org/t/1-67-binary-for-macos-not-notarized/47276
The plan is to sign the binaries as part of the build process. We'll probably sign all beta and full releases.