You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fixed a bug where symlinks weren't been written in notarization zip file
files properly. This prevented bundles containing symlinks from notarizing
correctly.
The filename used in notarization uploads is now normalized to avoid
rejection due to spaces and colons.
Support for remote signing. The feature is documented extensively in the
Sphinx documentation. Essentially, 2 independent machines communicate with
each other with end-to-end encrypted messages via a websocket bridged through
a central server. Signing requests are sent to a remote machine which is in
possession of the signing key. Signatures are made on the remote machine and
transmitted back to the originating machine. Remote signing enables signing
to be performed more securely by facilitating signing without having to give
the initiating machine access to the signing key.
Default log output format has changed. Lines are no longer prefixed with the
time, log level, or logging module by default. A -v/--verbose global flag
has been added to increase the verbosity of logging. This can restore the
printing of the prefixes. This crate uses env_logger <https://crates.io/crates/env_logger>_, so it is possible
to customize default behavior via environment variables.
The possible values for the --code-signature-flags are now advertised in
help output.
Written Mach-O files should now always have their filesystem permissions
preserved. Before, we may not have preserved file permissions in all code
paths writing Mach-O files.
A new keychain-print-certificates command can be used to print
certificates available in macOS keychains.
Initial support for using macOS keychain certificates for code signing.
Previously, we required that certificates be exported from keychain in
order to sign. We now support signing using SecurityFramework APIs so
keys don't have to leave the keychain. Due to a limitation in the Rust
bindings to SecurityFramework, decryption using keychain keys is not
supported. So the public key agreement method of remote code signing
will not yet work with keychain-based keys. The new --keychain-domain
and --keychain-fingerprint arguments can be used to specify how to
search for and use keychain hosted keys.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
files properly. This prevented bundles containing symlinks from notarizing
correctly.
rejection due to spaces and colons.
Sphinx documentation. Essentially, 2 independent machines communicate with
each other with end-to-end encrypted messages via a websocket bridged through
a central server. Signing requests are sent to a remote machine which is in
possession of the signing key. Signatures are made on the remote machine and
transmitted back to the originating machine. Remote signing enables signing
to be performed more securely by facilitating signing without having to give
the initiating machine access to the signing key.
time, log level, or logging module by default. A
-v/--verboseglobal flaghas been added to increase the verbosity of logging. This can restore the
printing of the prefixes. This crate uses
env_logger <https://crates.io/crates/env_logger>_, so it is possibleto customize default behavior via environment variables.
--code-signature-flagsare now advertised inhelp output.
preserved. Before, we may not have preserved file permissions in all code
paths writing Mach-O files.
keychain-print-certificatescommand can be used to printcertificates available in macOS keychains.
Previously, we required that certificates be exported from keychain in
order to sign. We now support signing using SecurityFramework APIs so
keys don't have to leave the keychain. Due to a limitation in the Rust
bindings to SecurityFramework, decryption using keychain keys is not
supported. So the public key agreement method of remote code signing
will not yet work with keychain-based keys. The new
--keychain-domainand
--keychain-fingerprintarguments can be used to specify how tosearch for and use keychain hosted keys.
This discussion was created from the release Apple Codesign 0.14.0.
Beta Was this translation helpful? Give feedback.
All reactions