code signing for OS X
edbordin opened this issue · comments
On OS X, archives downloaded in the browser are marked with a "quarantine flag" which is transferred to all files when an archive is extracted https://discourse.brew.sh/t/code-signing-installed-executables/2131/12
The user will get a warning for every executable they try to run if this flag is set.
These are the solutions to avoid the warning that I'm aware of:
- Download with a CLI tool like wget
- Remove the flag from the archive before extracting with
xattr -d com.apple.quarantine
- Manually allow each executable to run (annoying and probably impractical if changing builds frequently).
- Code-sign the executables, which should stop the warning appearing at all so long as the developer cert is valid.
I will leave this open for discussion. I'm inclined to say we don't need it but I am not the end user of this build so happy for others to chime in.
EDIT: This behaviour is not new in Catalina so I'm inclined to think users are used to it. But this can stay open for now in case somebody wants to make a case for signing the binaries.
edit 2: windows 10 actually behaves a similar way