Open ncw opened 1 month ago
Whoever will work on this I suggest to use small macOS utility app - Apparency. It allows to see and validate all aspects of signing/notarization. Perfect for "debugging" results of this process.
rclone
today:
And here example of some other cmd utility fully signed and notarized:
Thank you @kapitainsky very useful. I'll ping you when I have binaries to try (not fort a couple of weeks though)
The plan is to sign the binaries as part of the build process. We'll probably sign all beta and full releases.
Will other OS be included in this process ? Thanks in advance
Microsoft has SignTool in its SDK, once you get a code signing certificate : https://learn.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-sign-a-file
AFAIK Linux does have an IMA ("integrity measurement architecture" https://sourceforge.net/p/linux-ima/wiki/Home/) and later EVM("extended verification module"), for use with DigSig API (https://docs.kernel.org/security/digsig.html and https://github.com/digsig-ng) and the keyctl
user-space tool.
PS : I have no experience with any of them.
@nipil I've had some issues with the past with unsigned binaries on Windows 11: https://github.com/qwerty-fr/qwerty-fr/issues/63
It seems that code signing the binaries on macOS is becoming increasingly important.
We discussed this on the forum and some helpful tools were shown too
https://forum.rclone.org/t/1-67-binary-for-macos-not-notarized/47276
The plan is to sign the binaries as part of the build process. We'll probably sign all beta and full releases.