zarf-dev / zarf

DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev/
Apache License 2.0
1.41k stars 171 forks source link

Zarf binaries on MacOS require code signing to avoid user difficulty #458

Open jeff-mccoy opened 2 years ago

jeff-mccoy commented 2 years ago

On modern MacOS systems unsigned binaries will result in the OS blocking the running of the binary and require additional (confusing) manual steps to allow the binary to run. This will be some work, but fortunately tools and procedures exists to take go binaries to signed apple binaries. This will require using a MacOS runner as well as an AppleID / Apple developer account for this process (I have one but then it would be signed by name)

Some tools/links to investigated: https://github.com/actions/virtual-environments https://github.com/mitchellh/gon https://goreleaser.com/customization/sign/ https://github.com/joemiller/goreleaser-gon-poc https://github.com/iann0036/iamlive/blob/main/.github/workflows/release.yaml

This should be easy enough with https://goreleaser.com/customization/sign/#with-gon - we will have to do some testing on this so likely should run test releases from a fork (since goreleaser will need macOS and our release tests need Linux)

anoncam commented 2 years ago

@jeff-mccoy assume you have Apple Developers account?

Apple has a developer CA from which you must sign to be truly proper with Mac. Happy to sign a CSR from this CA.

jeff-mccoy commented 2 years ago

I do

jeff-mccoy commented 2 years ago

This might need additional validation--now that I'm installing with homebrew I don't seem to be getting this warning anymore personally, will need to do a little more testing.

JasonvanBrackel commented 2 years ago

@jeff-mccoy Any more insights here? Is this still an issue?

ghost commented 1 year ago

On a fresh machine installing from homebrew, I do not have a problem. Downloading the release from Github, it won't let me run it unless I right click on it in Finder and force it.

anoncam commented 1 year ago

The certs must come from apple developer portal

they maintain the CAs for MacOS trust.

willswire commented 1 year ago

an old read, but xar might help with the CI/CD implementation of code signing for macOS and prevent the need for a Mac runner: https://users.wfu.edu/cottrell/productsign/productsign_linux.html

Noxsios commented 8 months ago

Kicking this down the road to be implemented by OpenSSF @eddiezane FYSA

lucasrod16 commented 5 months ago

goreleaser now natively supports notarizing macOS binaries

https://goreleaser.com/customization/notarize/#notarize-macos-binaries