Signed release pkg/hash of signed contents

[arubdesu]

I'm working on autopkg recipes for santa, but can't use code signature verification for the pkg, which adds multiple steps unpacking the payload and verifying the signatures after each release gets pulled. Waiting on this pr to be merged before I can even check the kext separately. Ideally we'd just need to run pkgutil --check-signature /Volumes/santa-0.9.8/santa-0.9.8.pkg to generate the config that would verify all artifacts contained therein. If that's not desirable or doable in the meantime, is it possible to publicly post a hash of each release pkg that we can query over the GitHub API?
I'd assume once you hit 1.0 you may have signed pkgs, just starting the conversation now.

[marczak]

We'll have a signed kext, but expect that people should ultimately be building and signing the extension themselves. Signed packages shouldn't be a problem, though.

[russellhancox]

That's untrue, we'll always supply a signed kext because getting an
extension signing certificate is intentionally difficult. The only reason
to build yourself is if you want to customize it in some way that wouldn't
make sense as an option.

I'll start uploading a signed package for future releases.

@arubdesu: if you want a signed package for 0.9.8 let us know, otherwise
0.9.9 should be out in a few weeks, probably.

We'll have a signed kext, but expect that people should ultimately be
building and signing the extension themselves. Signed packages shouldn't be
a problem, though.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#40 (comment)

[arubdesu]

I'm fine sitting tight, if anyone else is paranoid in the meantime, I'm getting 0d843077036211460bb944a03b85d28799091e29fb5cac282a5f35d124d12845 as a sha256 for santa-0.9.8.pkg. Not sure the autopkg folks are going to merge my kext checker in the near future, so I'll be glad to change this to a pkg sig checking version when that's live. Thanks!