code sign the scie-pants binary on macOS

[tdyas]

We should code sign the scie-pants binaries on macOS. This will make for better UX for users who download the binary directly. (The goal would not to be in the App Store, but just to be an "identified developer" to the macOS "Gatekeeper" subsystem.)

The apple-codesign crate provides a pure Rust solution to signing macOS binaries. (Documentation is here.)

[jsirois]

Hrm. I wonder if code signing scie-jump would solve this more centrally. Perhaps not. I'll have to read up and someone will have to be paying a yearly apple developer fee IIUC. Mac is ridiculously unfriendly to developers.

[tdyas]

someone will have to be paying a yearly apple developer fee IIUC

Maybe the Pants foundation could do that?

[jsirois]

This will make for better UX for users who download the binary directly.

I just now paged this in. I have not heard complaints from folks using either the brew tap install method, the curl method or the script check in and run method. @tdyas I don't have a Mac; so can you confirm you're talking about downloading with a browser or running curl yourself and then trying to run the binary directly? Or are you trying to use the pantsbuild.org recommended bash -c 'curl ...' method and hitting this? I realize https://github.com/pantsbuild/scie-pants#installing recommends downloading directly; so I just realized you might be following my - clearly problematic for Mac - instructions.

[sureshjoshi]

Typically this is a problem when downloading via a browser (e.g. go to the Releases page, then download).

Generally you're asked for admin to go into settings and allow running executables by "unidentified developers".

Using wget or curl and then chmod +x bypasses this problem entirely (at least on MacOS 13.1 on Intel)

[jsirois]

@tdyas if that's also the case for you, I'm inclined to add a warning to the README and defer. Beyond tacitly patting Apple on the back for being unfriendly by paying them, reading IndyGreg docs seems to indicate this will inject a manual ~owners only step in my currently fully automatic release that can be run by any maintainer. It would be great to not have to do all this hoop jumping if the only case it saves is browser download. Ideally, yes, scie-pants provides a great experience no matter how you use it, but my god - this is a burden that fails the categorical imperative.

[kaos]

@jsirois FYI, for brew, we have this line in order to make it executable at all (as it wouldn't show a dialog where you could select to go ahead any way)

  postflight do
    Quarantine.release!(download_path: "#{caskroom_path}/#{version}/#{Utils.binary}") if Quarantine.available?
  end

https://github.com/pantsbuild/homebrew-tap/blob/58a3aa54d527f982bc482d5ba4b39118213c80bf/Casks/pants.rb#L45

So yea, I think we can manage without code signing.

[tdyas]

@tdyas if that's also the case for you, I'm inclined to add a warning to the README and defer. Beyond tacitly patting Apple on the back for being unfriendly by paying them, reading IndyGreg docs seems to indicate this will inject a manual ~owners only step in my currently fully automatic release that can be run by any maintainer. It would be great to not have to do all this hoop jumping if the only case it saves is browser download. Ideally, yes, scie-pants provides a great experience no matter how you use it, but my god - this is a burden that fails the categorical imperative.

Yes it was from having downloaded from the release page.