A Completely Open-Source Implementation of Apple Code Signing and Notarization

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • PyOxidizer

    A modern Python application packaging and distribution tool

  • XAR signing is effectively just an RFC 5652 CMS signature plus some minimal data structure manipulation. Code at https://github.com/indygreg/PyOxidizer/blob/faa7dfcea5d66bf5....

    Mach-O and bundles, by contrast, require a myriad of additional data structures requiring thousands of lines of code to support. To my knowledge, nobody else has implemented signing of these far-more-complicated primitives. (Existing Mach-O signing solutions just do ad-hoc signing and/or don't handle Mach-O in the context of a bundle.)

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • I think Apple's official code signing tool is also open source?

    https://github.com/Apple-FOSS-Mirror/security_systemkeychain...

  • swift-corelibs-foundation

    The Foundation Project, providing core utilities, internationalization, and OS independence

  • CoreFoundation is (partially?) open-source and cross-platform now: https://github.com/apple/swift-corelibs-foundation

  • osxcross

    Mac OS X cross toolchain for Linux, FreeBSD, OpenBSD and Android (Termux)

  • This is actually a solved problem, using osxcross[0]. The experience is honestly very smooth, and we don't require any apple proprietary binaries. The only thing apple-proprietary is their SDK (containing the header files for compiling, and tbd files for linking), which can be downloaded from apple's website (at least if you have a developer account), or from various GitHub projects archiving them.

    [0]: https://github.com/tpoechtrager/osxcross

  • lemur

    Repository for the Lemur Certificate Manager

  • this feels like a job for lemur and smallstep

    https://smallstep.com/docs/step-ca

    https://github.com/Netflix/lemur

  • gon

    Discontinued Sign, notarize, and package macOS CLI tools and applications written in any language. Available as both a CLI and a Go library. (by mitchellh)

  • I’ve always used gon ( https://github.com/mitchellh/gon ) for this, which is open source golang, but I don’t think it supports mach-o embedding. I’ll have to try this tool out.

  • isign

    Code sign iOS applications, without proprietary Apple software or hardware (by isignpy)

  • Kudos to these developers. I wish them success.

    If I can do a small derail: I and some contributors had this mostly working a few iOS versions ago with isign (https://github.com/isignpy/isign). This is befor notarization. Announced several times to HN but didn’t seem to be interesting to many people.

    This was a spin-off from our work at a testing company. I’m not an iOS developer.

    I tried to make it into something, but I could never figure out who actually wanted this. What potential uses are foreseen for rcodedesign?

    We did a project for a large financial company to make it compatible with hardware security module signing, but they never implemented it due to the pandemic changing priorities, and then someone discovered there was a little-known API to do something similar anyway, so our project was shelved. (We got paid though).

    From time to time I am contacted by people who run alternative app stores, either distributing hacked versions of paid apps, or who run app store in countries under embargo from Western countries. (They have banks, they have iOS apps, their customers have iPhones, they want a way to distribute them). The ethical issues and legal risks seemed significant so I never pursued that. If someone wants to go do that, I guess that’s a use case.

    It might have some use in build pipelines, but without a true Linux build environment it didn’t seem like a win.

    So… again kudos, but what can we do with this? I’m not dissing it, I’m genuine baffled. I also thought this would be important and useful but couldn’t figure it out.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • ldid

    Link Identity Editor. Put real or fake signatures in a Mach-O.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Which Root Certificates should you trust? Find out with CertInfo

    1 project | news.ycombinator.com | 14 Jun 2024
  • How to Resolve Node.js ERR_OSSL_EVP_UNSUPPORTED Error

    1 project | dev.to | 28 May 2024
  • Heartbleed and XZ Backdoor Learnings: Open Source Infrastructure Can Be Improved Efficiently With Moderate Funding

    2 projects | dev.to | 7 Apr 2024
  • Ask HN: How does the xz backdoor replace RSA_public_decrypt?

    1 project | news.ycombinator.com | 1 Apr 2024
  • Recent 'MFA Bombing' Attacks Targeting Apple Users

    2 projects | news.ycombinator.com | 27 Mar 2024