-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign binaries #575
Comments
Is there a plan when the binaries will be signed? |
Found on HN today: https://github.com/indygreg/PyOxidizer/tree/main/apple-codesign
I wonder if this can be used for Deno binaries? |
Alternatively, there is also cosign: https://github.com/SigStore/cosign |
@waynebloss Their |
UPDATE: We tried to codesign using the
We tried to shave this yak from all manner of different positions, but in the end, we couldn't get it to work. For the time being, we're just going to follow the advice here https://users.rust-lang.org/t/distributing-cli-apps-on-macos/70223 and have users install via |
Probably apple-codesign is not the right tool for this. Why not https://github.com/SigStore/cosign? |
or if you want to be more traditional one can sign the binaries with GnuPG: https://www.gnupg.org/gph/en/manual/x135.html |
@jornfranke We did look into cosign, but it was not clear from the website or the documentation that it would solve the specific problem at hand which is to distribute a single executable binary to users on macOS. In the end, we decided not to sign at all for two reasons. First, whether we used In order to run an executable downloaded via your browser, you have to have it notarized by Apple's Gatekeeper service. However, Gatekeeper only accepts That is, until we found out that if you installed via
In an ideal world, we would sign our CLI, but since it is for developers, and installation via To get code signing to work reliably, |
Thanks for the detailed response. Then the non-existing description of the issue is misleading. I do not care about Apple signing, but in general all binaries (linux, windows etc.) should be signed so I can verify myself that they have not been tampered with. Maybe then I should create a dedicated issue for this? |
@jornfranke This could be what you're looking for #11154 There, @AlexanderOMara lays out a method to make it work for Mach-O, but from my (limited) understanding of the subject, it would require a separate strategy for assembling the standalone binary for each platform executable format (Mach-O, ELF, PE) rather than the magical trailer strategy used now. |
For Windows you could either add a new data section or tuck the data into the PE resources and read that. For Linux I'm not sure how common code signing is, but you can quite-easily add a new unloaded section to an ELF binary which can easily be read from disk. |
the signing does not need to be in the binary. It can be perfectly a dedicated file with the signature.
The process is described here: https://infra.apache.org/release-signing#verifying-signature |
Any reason not to use the same approach as node, and simply provide a clearsigned shasum file that can be (optionally) downloaded alongside any given release. This is similar to what @jornfranke is suggesting, and also allows existing Dockerfiles/scripts to use the same boilerplate they already use to verify node releases as with deno. Basically, you have:
You can thus verify the SHASUMS256.txt.asc file just by running Once that is confirmed, you can then check that the checksum for |
While there is benefit to verifying the integrity of executables with signing/verification, it doesn't address a core problem. Most consumers don't verify downloads. This is the primary reason why Microsoft SmartScreen exists in Windows environments. If the binary cannot be signed with an EV certificate, Windows won't trust it. In most company environments, this will prevent programs from running or being installed. |
@crowlKats Excellent -- as far as I can tell this doesn't cover signature though right? It seems like what I am describing is to accomplish this bug through that one. Is it worth referencing this bug there too? |
We need to get the index of js_handled_promise_rejection_cb before we build the struct.
in case anyone sees this, I've also faced this issue, and it seems like it only happens when you code sign a macOS binary with the hardened runtime flag. The solution is to also include this entitlement: <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true />
</dict>
</plist> |
No description provided.
The text was updated successfully, but these errors were encountered: