Mac artifacts are not code signed #18
Comments
lopopolo
added
A-security
lopopolo
added
the
E-help-wanted
|
#20 adds GPG signatures to nightly artifacts. |
|
There's a lot of good investigation here: simonw/datasette#1171 |
|
It looks like nightly artifacts need to be code signed and notarized. I also found this article useful: https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions |
|
The tools involved here are:
|
|
I was chatting with some folks on what steps I'd need to go through to get a Apple Developer Certificate for the code signing. Transcriptlopopolo: If I want to get a code signing certificate for a project / GitHub organization, do I sign up for an Apple Developer account with my personal Apple ID? Or should I create a new developer account with an email alias for the project? There is no legal entity associated with the organization. I use a codesign[@]domain[.]tld email for the GPG keys that generate signatures for release artifacts. [redacted]: I'd create a new Apple ID solely for developer. That way you don't have to change the email if someone else in the org wants to run signing for a while. Note that it really is an individual account associated with your real name. Also expect lots of spam to that email. lopopolo: ok so maybe apple-codesign@domain[.]tld mapped to a google group that doesn't show up in my inbox. but the user on that apple ID would still be Ryan Lopopolo. [redacted]: 👍 |
|
I signed up for a new Apple ID and the Apple Developer Program today. Waiting for the account to get approved. |
|
Account was approved today. |
Reported on Twitter via https://twitter.com/jim_healy/status/1345505318709592064 and https://twitter.com/jim_healy/status/1345509713715187713.
Gatekeeper blocks
airbandartichokefrom launching because they are not signed by "an identified developer".This looks like the right place to start:
The text was updated successfully, but these errors were encountered: