Would there benefit in optionally verifying the hash or signature of the rcodesign binary? #25
Comments
|
Yes, we would ideally verify the digest when downloading rcodesign. The Mach-O executables are signed with my Apple code signing certificate. But the tarball release artifacts and currently not signed. I could potentially publish PGP cleartext signatures for these assets. For right now, it's probably fine to hardcode the SHA-256 digests of the tarballs. Note that if we validate content digests we need to provide a config mechanism to specify them. And there will be different digests for each architecture. I believe this complexity is why I didn't implement the feature. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would there benefit in optionally verifying the hash or signature of the rcodesign binary? Right now there is no such check:
https://github.com/indygreg/apple-code-sign-action/blob/main/src/main.js#L51. I'm not sure if you sign the binaries right now or if you'd be willing to though.
And if you think there would be benefit, would you take a pull request for to implement this optional feature?
Thanks!
The text was updated successfully, but these errors were encountered: