Skip to content

v0.11.3 — prefer Developer ID signing for the watch bundle

Choose a tag to compare

@tymrtn tymrtn released this 23 May 14:22

Fix

v0.11.2 unconditionally ad-hoc signed the watch bundle on install. That was the right fallback for end users (who don't have my Developer ID cert), but wrong on machines that do — and "always ad-hoc when we have a real cert sitting in the keychain" is the kind of laziness that shows up in System Settings as a half-built tool.

What changed

`diskspace watch install` now runs `security find-identity -v -p codesigning` and signs the bundle with the first Developer ID Application identity it finds (with hardened runtime + Apple timestamp). No `--deep` flag, so the inner Mach-O's existing notarized signature is preserved — codesign only seals the bundle wrapper. Falls back to ad-hoc when no Developer ID is available.

Result

  • On the developer's machine (or any Mac with a Developer ID Application cert): bundle is now Developer-ID signed with a real `TeamIdentifier`, hardened runtime, and Apple-anchored timestamp. Gatekeeper now rejects with "Unnotarized Developer ID" instead of "unidentified developer" — same daemon behavior, but the dialog the user might encounter is much friendlier and overridable.
  • On a Mac without the cert: identical to v0.11.2 (ad-hoc fallback).

Open follow-up

The cleanest fix is to sign + notarize the bundle at release time and ship a pre-cleared bundle as a release artifact. That eliminates Gatekeeper rejection entirely. Tracking for v0.12.

Upgrade

```bash
brew upgrade diskspace
diskspace watch uninstall
diskspace watch install
```