Thinking about codesignig and notarizatio

Question

< alessandrogario> Thinking about codesignig and notarization

seph · Answer

osx pkg files are `xar` format Sometimes `tar` will read them else `xar` will

seph · Answer

<https gist github com directionless 767825510afc3cce99dfeb1d4eadb67a> has some of the notes

seph · Answer

Much of what I know is encoded into <https github com kolide launcher blob master Makefile> that tool is kinda terrible being make but it s easier to point at than the go code Though I can find the go if we want to use that tooling

seph · Answer

codesign and notarize snippets are <https github com kolide launcher blob master Makefile L147 L168>

seph · Answer

Which is very similar to <https github com trailofbits sinter blob master packaging scripts notarize sh L97>

seph · Answer

windows side from linux you can do <https github com kolide launcher blob master Makefile L171 L182>

seph · Answer

My go code for this is a bit sprawling but <https github com kolide launcher blob master pkg packagekit package pkg go> is the core of the pkg generation It runs 1 `pkgbuild` to get a flat package 2 `productbuild` to get a distribution package 3 `xcrun altool` to submit it to notary And the larger framework sets the notarization uuid as storage metadata which something else comes along to check later on

seph · Answer

All the rest of that code is error handling and setup and whatnot

seph · Answer

If you want the gritty notarization code it recently moved to a public repo <https github com kolide launcher blob master pkg packagekit applenotarization applenotarization go> the only real callout is that ` output format xml` makes it way easier to parse