I just downloaded https://downloads.rclone.org/v1.67.0/rclone-v1.67.0-osx-arm64.zip and unzipped it. Then, when I ran it I got the gatekeeper popup about it not having been checked by Apple, etc. I'm pretty sure the 1.65 binary I had was. Is this my imagination? Is this a feature or bug?
It never was.
The problem here is not rclone but your browser which sets quarantine flag on downloaded zip file.
If you install it using brew or by running installation script no flag is set. It is the same as any other downloaded binary - for example no single brew installed binaries is notarized and you will never see gatekeeper popping up.
It is mentioned in docs.
1 Like
In your opinion @kapitainsky would it be worth me investing in the infrastructure to sign the rclone binaries?
As a MacOS user (and others) I'll chime in and say "no". At least not yet.
Solutions seem to work, and the activity is not onerous. So you are throwing money out of the window. Unless you then charge for a signed version which seems to add extra complexity. But even if it is only 100 dollars or so, it is really a problem presently?
I guess if enough MacOS users who "need" it start to make donations to you, however small, which I recommend anyway then you could consider it.
I cannot comment on any "backend" work you might have to do, other than the cost.
1 Like
I think that is $99/yr, just to make it explicit. And the act of signing and notarizing did get easier about a year ago (IIRC), but it's still a PITA. At least it can be automated, though.
As for should you spend it? Eh, I think there is value in seeing it notarized. In this case, the first thought I had, because I thought they were notarized before, was "hmm, did his website get hacked?" ... I'll update my notes for downloading new versions to remove the quarantine flag on the download before I install it. That should help.
Btw, there was a discussion on HN about how it will likely become more difficult to run non-notarized software the next version of macOS. I wonder how that will impact Homebrew... now we'll have to install from source??
Thanks, @kapitainsky for the reminder this has always been the case.
IMO yes - Apple is making it increasingly hard to use non-signed binaries.
https://mjtsai.com/blog/2024/07/05/sequoia-removes-gatekeeper-contextual-menu-override/
Thanks for your thoughts macOS users it sounds like signing is the way to go with the way Apple are going.
I don't mind the $99 / year, however I would, if possible, like to automate the signing using GitHub actions as part of the build.
It looks like there is an action to install the developer certs
I don't know how you actually sign stuff though, there must be a cli to do it.
Does anyone know of any open source projects on GitHub doing this?
Very good question. I don't, of the top of my head. I will look, though. I know the dev for emacsformacosx.com does automatic builds, so I'll see if I can find something there.
I remember they went from "submit your zipped app for notarization, poll status until it's done" to "call this to notarized and there's a --wait argument". That was a nice simplification.
Hmmm, that part isn't open source. Ah, well. I'll look around for something else.
I was wrong, it is. It's here: GitHub - caldwell/build-emacs: Build scripts for www.emacsformacosx.com
The combine-and-package program looks very promising.
Goreleaser (Notarize macOS binaries - GoReleaser) uses quill as it's backend:
As a bonus, it's written in Golang too 
.
1 Like
Two great examples thank you both.
I looked through both the repos and everything is a bit clearer. The quill tool looks neat. I can use the codesign binary on the macOS builder directly too.
I will have an experiment with this and try to get it done for the 1.68 release.
I made an issue about this
It will be very nice to have binaries signed but by no means it is mandatory.
Running unsigned code is not going away from macOS and IMO users are familiar how to do it - especially ones using cmd tools like rclone. There are plenty of open source projects not signing their binaries - either because of ideological reasons or simply not willing to pay $100 per year for this pleasure.
But again if there is will to pay and do it then it is nice:) I would also look at notarisation (binary is submitted to Apple and they automatically scan it to give it a seal of approval).
1 Like
I have nothing to add if this is needed or not, but I just came across this article: A very rough guide to notarizing CLI apps for macOS | Random Errata. Maybe it helps.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.