Sign standalone macOS version

[rgaudin]

As you know, macOS binaries needs to be properly signed and notarized to be used directly in Catalina+.

You've done it properly for the installer version and that's great but the standalone version is not concerned.

I've read this comment from @pdcastro (which followed #1251 and #2180) that lists the workaround for end-users but until this is fixed, it's not possible to bundle balena-cli into another tool that would be notarized.

My understanding of the problem is that the standalone version is built using pkg and the issue is upstream at vercel/pkg#128

[pdcastro]

Connects-to: #2244

[pdcastro]

@rgaudin, we don't currently have plans of notarizing the standalone zip package for macOS -- we were actually considering whether to stop releasing it for macOS, because there are already 2 alternatives:

• The graphical installer for macOS (which is notarized)
• The npm installation option, which does not normally require notarization.

And there is the xattr -c workaround described in #2244.

Consider whether these alternatives would work in your case. Also, if all you need is the flashing ability, consider how the local flash command is implemented, and how it builds on etcher-sdk:

• https://github.com/balena-io/balena-cli/blob/master/lib/commands/local/flash.ts
• https://github.com/balena-io-modules/etcher-sdk

[rgaudin]

Understood. Thank you for replying this clearly.

As we bundle it in our tool, the npm install doesn't work. The quarantine label removal trick neither as it allows to bypass Gatekeeper but not to notarize it.
Exploding the installer version and bundling its content is probably our best option here.

I'd advise you keep the unnotarized zip package as it's useful for bundling it despite this notarization issue. Also, I'd expect pkg to fix the upstream issue at some point.