Code Signing?

[martinheidegger]

How could code-signing be added to the ci process? Particularly for macOS code signing is relevant.

[wangyoucao577]

What kind of code signing? How's it work generally?

[martinheidegger]

Wikipedia: https://en.wikipedia.org/wiki/Code_signing
MacOS:

• https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

Windows:

• https://mkaz.blog/code/code-signing-a-windows-application/
• https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)?redirectedfrom=MSDN

Debian:

• https://hussainaliakbar.github.io/digitally-signing-and-verification-of-debian-packages-with-dpkg-sig/

[wangyoucao577]

Thanks for the information! It seems that mostly the code signing is useful on macOS to avoid the warning, right?
After some search, I saw that the Build, notarize, and sign Golang binaries for MacOS with GitHub Actions shows a very good example. It uses mitchellh/gon to sign mac apps.

To have a try, it requires below steps:

• prepare your key
• seperate the go-release-action for macos since it needs to sign the app
  • use pre_command to install mitchellh/gon
  • use post_command to sign the executable binary via mitchellh/gon: it's not exist right now, I can create a branch to add it if you'd like to have a try.

Please let me know if any thoughts. Thanks!

[martinheidegger]

On macOS the warning is intense, but code signing is also, to a smaller degree, relevant on Windows if i remember right. I would definitely try you branch. About the API//workflow though: wouldn't it be easier to have an optional setting for gon config that runs gon internally if the task is running on macos?

[wangyoucao577]

Please have a try with wangyoucao577/go-release-action@feature/code-signing which has added post_command already.

The task will never run on macos, even though build binary that target to macos, the running os is debian.
I agree that it will be easier to use if integrate something like gon in the go-release-action internal. But firstly I think it's better to achieve the functionality, and try to figure out some unified way to solve the problems on all platforms. Then I'll be happy to integrate it in internal.

[wangyoucao577]

I checked out the https://github.com/mitchellh/gon and recognized that it can't be achieved currently since the tool depends on Apple Xcode and has to run on macosx, by contrast this actions runs debian inside. We need to figure out new idea.

[afreeland]

Curious if anyone found a good solution? The dialog is pretty scary would be awesome to find a way to easily sign an executable for macOS