Feature request: Notarize the MacOS binaries in the pipeline

[oscrx]

Notarize the MacOS binaries in the pipeline

When installing the Openshift Client on MacOS the Gatekeeper warns that the binary is untrusted and blocks it.
Users then have to go into the settings and overrule the block.
The process is pretty involved every update and may lead to users disabling safety features on their devices.

Related RedHat blog post about it by @DonSchenck

Suggested solution

Integrating this tool in the pipeline submits the binaries to Apple for verification (malware checks etc)
https://github.com/Bearer/gon

Requirements to fix this issue

• An Apple developer account
• Knowledge of the build process (upstream at RedHat?) (a.k.a. the magic that puts everything at mirror.openshift.com)

The steps users have to take if they don't want to disable security settings

1. oc get updated (by manual download of with Brew)
2. User tries to use it. (Or opens a new terminal and it gets used for shell completion)
3. A warning message appears and the user clicks Done

4. User opens System settings and finds the Security menu.
5. User resets/overrules the warning.

6. User tries to use oc again. Warning reappears.

7. User uses administrator/sudo rights to ignore the warning and stops being bothered until the next update.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[MagerValp]

/remove-lifecycle stale

[ardaguclu]

This issue was supposed to fix by #1242. Could you please manually download oc for MacOS (e.g. https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/openshift-install-mac-4.20.1.tar.gz) from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/ and test on your machine?.

[ardaguclu]

this sha256 hash e5cfb94ed2d4c819287ab703963f53b7cfc5bc59c92ef6728590e47ebcd2cb20 in https://github.com/Homebrew/homebrew-core/blob/main/Formula/o/openshift-cli.rb points to linux/amd64 oc in https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/sha256sum.txt. I was expecting to point openshift-client-mac-4.20.1.tar.gz

[MagerValp]

This issue was supposed to fix by #1242. Could you please manually download oc for MacOS (e.g. https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/openshift-install-mac-4.20.1.tar.gz) from https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/ and test on your machine?.

I take it you mean openshift-client and not openshift-install?

% curl -sLO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.20.1/openshift-client-mac-4.20.1.tar.gz
% tar zxvf openshift-client-mac-4.20.1.tar.gz      
x README.md
x oc
x kubectl
% file oc
oc: Mach-O 64-bit executable x86_64
% codesign -dvv oc
oc: code object is not signed at all

Similar results for the arm64 binary.

[oscrx]

I was trying it out as well but had similar results. It did work however when I installed the binary with brew...
I will have to look into it again