gon is a simple, no-frills tool for signing and notarizing your CLI binaries for macOS

Overview

gon - CLI and Go Library for macOS Notarization

gon is a simple, no-frills tool for signing and notarizing your CLI binaries for macOS. gon is available as a CLI that can be run manually or in automation pipelines. It is also available as a Go library for embedding in projects written in Go. gon can sign and notarize binaries written in any language.

Beginning with macOS Catalina (10.15), Apple is requiring all software distributed outside of the Mac App Store to be signed and notarized. Software that isn't properly signed or notarized will be shown an error message with the only actionable option being to "Move to Bin". The software cannot be run even from the command-line. The workarounds are painful for users. gon helps you automate the process of notarization.

Features

  • Code sign one or multiple files written in any language
  • Package signed files into a dmg or zip
  • Notarize packages and wait for the notarization to complete
  • Concurrent notarization for multiple output formats
  • Stapling notarization tickets to supported formats (dmg) so that Gatekeeper validation works offline.

See roadmap for features that we want to support but don't yet.

Example

The example below runs gon against itself to generate a zip and dmg.

gon Example

Installation

The easiest way to install gon is via Homebrew:

$ brew tap mitchellh/gon
$ brew install mitchellh/gon/gon

You may also download the appropriate release for your platform from the releases page. These are all signed and notarized to run out of the box on macOS 10.15+.

You can also compile from source using Go 1.13 or later using standard go build. Please ensure that Go modules are enabled.

Usage

gon requires a configuration file that can be specified as a file path or passed in via stdin. The configuration specifies all the settings gon will use to sign and package your files.

gon must be run on a macOS machine with XCode 11.0 or later. Code signing, notarization, and packaging all require tools that are only available on macOS machines.

$ gon [flags] [CONFIG]

When executed, gon will sign, package, and notarize configured files into requested formats. gon will exit with a 0 exit code on success and any other value on failure.

Prerequisite: Acquiring a Developer ID Certificate

Before using gon, you must acquire a Developer ID Certificate. To do this, you can either do it via the web or via Xcode locally on a Mac. Using Xcode is easier if you already have it installed.

Via the web:

  1. Sign into developer.apple.com with valid Apple ID credentials. You may need to sign up for an Apple developer account.

  2. Navigate to the certificates page.

  3. Click the "+" icon, select "Developer ID Application" and follow the steps.

  4. After downloading the certificate, double-click to import it into your keychain. If you're building on a CI machine, every CI machine must have this certificate in their keychain.

Via Xcode:

  1. Open Xcode and go to Xcode => Preferences => Accounts

  2. Click the "+" in the bottom left and add your Apple ID if you haven't already.

  3. Select your Apple account and click "Manage Certificates" in the bottom right corner.

  4. Click "+" in the bottom left corner and click "Developer ID Application".

  5. Right-click the newly created cert in the list, click "export" and export the file as a p12-formatted certificate. Save this somewhere. You'll never be able to download it again.

To verify you did this correctly, you can inspect your keychain:

$ security find-identity -v
  1) 97E4A93EAA8BAC7A8FD2383BFA459D2898100E56 "Developer ID Application: Mitchell Hashimoto (GK79KXBF4F)"
     1 valid identities found

You should see one or more certificates and at least one should be your Developer ID Application certificate. The hexadecimal string prefix is the value you can use in your configuration file to specify the identity.

Configuration File

The configuration file can specify allow/deny lists of licenses for reports, license overrides for specific dependencies, and more. The configuration file format is HCL or JSON.

Example:

source = ["./terraform"]
bundle_id = "com.mitchellh.example.terraform"

apple_id {
  username = "[email protected]"
  password = "@env:AC_PASSWORD"
}

sign {
  application_identity = "Developer ID Application: Mitchell Hashimoto"
}

dmg {
  output_path = "terraform.dmg"
  volume_name = "Terraform"
}

zip {
  output_path = "terraform.zip"
}
{
    "source" : ["./terraform"],
    "bundle_id" : "com.mitchellh.example.terraform",
    "apple_id": {
        "username" : "[email protected]",
        "password":  "@env:AC_PASSWORD"
    },
    "sign" :{
        "application_identity" : "Developer ID Application: Mitchell Hashimoto"
    },
    "dmg" :{
        "output_path":  "terraform.dmg",
        "volume_name":  "Terraform"
    },
    "zip" :{
        "output_path" : "terraform.zip"
    }
}

Supported configurations:

  • source (array) - A list of files to sign, package, and notarize. If you want to sign multiple files with different identities or into different packages, then you should invoke gon with separate configurations. This is optional if you're using the notarization-only mode with the notarize block.

  • bundle_id (string) - The bundle ID for your application. You should choose something unique for your application. You can also register these with Apple. This is optional if you're using the notarization-only mode with the notarize block.

  • apple_id - Settings related to the Apple ID to use for notarization.

    • username (string) - The Apple ID username, typically an email address. This will default to the AC_USERNAME environment variable if not set.

    • password (string) - The password for the associated Apple ID. This can be specified directly or using @keychain: or @env: to avoid putting the plaintext password directly in a configuration file. The @keychain: syntax will load the password from the macOS Keychain with the given name. The @env: syntax will load the password from the named environmental variable. If this value isn't set, we'll attempt to use the AC_PASSWORD environment variable as a default.

    • provider (string optional) - The App Store Connect provider when using multiple teams within App Store Connect. If this isn't set, we'll attempt to read the AC_PROVIDER environment variable as a default.

  • sign - Settings related to signing files.

    • application_identity (string) - The name or ID of the "Developer ID Application" certificate to use to sign applications. This accepts any valid value for the -s flag for the codesign binary on macOS. See man codesign for detailed documentation on accepted values.

    • entitlements_file (string optional) - The full path to a plist format .entitlements file, used for the --entitlements argument to codesign

  • dmg (optional) - Settings related to creating a disk image (dmg) as output. This will only be created if this is specified. The dmg will also have the notarization ticket stapled so that it can be verified offline and do not require internet to use.

    • output_path (string) - The path to create the zip archive. If this path already exists, it will be overwritten. All files in source will be copied into the root of the zip archive.

    • volume_name (string) - The name of the mounted dmg that shows up in finder, the mounted file path, etc.

  • zip (optional) - Settings related to creating a zip archive as output. A zip archive will only be created if this is specified. Note that zip archives don't support stapling, meaning that files within the notarized zip archive will require an internet connection to verify on first use.

    • output_path (string) - The path to create the zip archive. If this path already exists, it will be overwritten. All files in source will be copied into the root of the zip archive.

Notarization-only mode:

  • notarize (optional) - Settings for notarizing already built files. This is an alternative to using the source option. This option can be repeated to notarize multiple files.

    • path (string) - The path to the file to notarize. This must be one of Apple's supported file types for notarization: dmg, pkg, app, or zip.

    • bundle_id (string) - The bundle ID to use for this notarization. This is used instead of the top-level bundle_id (which controls the value for source-based runs).

    • staple (bool optional) - Controls if stapler staple should run if notarization succeeds. This should only be set for filetypes that support it (dmg, pkg, or app).

Notarization-Only Configuration

You can configure gon to notarize already-signed files. This is useful if you're integrating gon into an existing build pipeline that may already support creation of pkg, app, etc. files.

Because notarization requires the payload of packages to also be signed, this mode assumes that you have codesigned the payload as well as the package itself. gon will not sign your package in the notarize blocks. Please do not confuse this with when source is set and gon itself creates your packages, in which case it will also sign them.

You can use this in addition to specifying source as well. In this case, we will codesign & package the files specified in source and then notarize those results as well as those in notarize blocks.

Example in HCL and then the identical configuration in JSON:

notarize {
  path = "/path/to/terraform.pkg"
  bundle_id = "com.mitchellh.example.terraform"
  staple = true
}

apple_id {
  username = "[email protected]"
  password = "@env:AC_PASSWORD"
}
{
  "notarize": [{
    "path": "/path/to/terraform.pkg",
    "bundle_id": "com.mitchellh.example.terraform",
    "staple": true
  }],

  "apple_id": {
     "username": "[email protected]",
     "password": "@env:AC_PASSWORD"
  }
}

Note you may specify multiple notarize blocks to notarize multipel files concurrently.

Processing Time

The notarization process requires submitting your package(s) to Apple and waiting for them to scan them. Apple provides no public SLA as far as I can tell.

In developing gon and working with the notarization process, I've found the process to be fast on average (< 10 minutes) but in some cases notarization requests have been queued for an hour or more.

gon will output status updates as it goes, and will wait indefinitely for notarization to complete. If gon is interrupted, you can check the status of a request yourself using the request UUID that gon outputs after submission.

Using within Automation

gon is built to support running within automated environments such as CI pipelines. In this environment, you should use JSON configuration files with gon and the -log-json flag to get structured logging output.

Machine-Readable Output

gon always outputs human-readable output on stdout (including errors) and all log output on stderr. By specifying -log-json the log entries will be structured with JSON. You can process the stream of JSON using a tool such as jq or any scripting language to extract critical information such as the request UUID, status, and more.

When gon is run in an environment with no TTY, the human output will not be colored. This makes it friendlier for output logs.

Example:

$ gon -log-level=info -log-json ./config.hcl
...

Note you must specify both -log-level and -log-json. The -log-level flag enables logging in general. An info level is enough in automation environments to get all the information you'd want.

Prompts

On first-run may be prompted multiple times for passwords. If you click "Always Allow" then you will not be prompted again. These prompts are originating from Apple software that gon is subprocessing, and not from gon itself.

I do not currently know how to script the approvals, so the recommendation on build machines is to run gon manually once. If anyone finds a way to automate this please open an issue, let me know, and I'll update this README.

Usage with GoReleaser

GoReleaser is a popular full featured release automation tool for Go-based projects. Gon can be used with GoReleaser to augment the signing step to notarize your binaries as part of a GoReleaser pipeline.

Here is an example GoReleaser configuration to sign your binaries:

builds:
- binary: foo
  id: foo
  goos:
  - linux
  - windows
  goarch:
  - amd64
# notice that we need a separated build for the macos binary only:
- binary: foo
  id: foo-macos
  goos:
  - darwin
  goarch:
  - amd64
signs:
  - signature: "${artifact}.dmg"
    ids:
    - foo-macos # here we filter the macos only build id
    # you'll need to have gon on PATH
    cmd: gon
    # you can follow the gon docs to properly create the gon.hcl config file:
    # https://github.com/mitchellh/gon
    args:
    - gon.hcl
    artifacts: all

To learn more, see the GoReleaser documentation.

Go Library

Godoc

We also expose a supported API for signing, packaging, and notarizing files using the Go programming language. Please see the linked Go documentation for more details.

The libraries exposed are purposely lower level and separate out the sign, package, notarization, and stapling steps. This lets you integrate this functionality into any tooling easily vs. having an opinionated gon-CLI experience.

Troubleshooting

"We are unable to create an authentication session. (-22016)"

You likely have Apple 2FA enabled. You'll need to generate an application password and use that instead of your Apple ID password.

Roadmap

These are some things I'd love to see but aren't currently implemented.

  • Expose more DMG customization so you can set backgrounds, icons, etc.
    • The underlying script we use already supports this.
  • Support adding additional files to the zip, dmg packages
  • Support the creation of '.app' bundles for CLI applications
Comments
  • brew tap mitchellh/gon has stopped working

    brew tap mitchellh/gon has stopped working

    I think this worked a couple of weeks ago, but I had a hardware problem and had to reinstall after repair. Now I get:

    $ brew tap mitchellh/gon
    ==> Tapping mitchellh/gon
    Cloning into '/usr/local/Homebrew/Library/Taps/mitchellh/homebrew-gon'...
    remote: Enumerating objects: 12, done.
    remote: Counting objects: 100% (12/12), done.
    remote: Compressing objects: 100% (9/9), done.
    remote: Total 12 (delta 2), reused 10 (delta 1), pack-reused 0
    Receiving objects: 100% (12/12), done.
    Resolving deltas: 100% (2/2), done.
    Error: Invalid formula: /usr/local/Homebrew/Library/Taps/mitchellh/homebrew-gon/gon.rb
    gon: Calling bottle :unneeded is disabled! There is no replacement.
    Please report this issue to the mitchellh/gon tap (not Homebrew/brew or Homebrew/core):
      /usr/local/Homebrew/Library/Taps/mitchellh/homebrew-gon/gon.rb:6
    
    Error: Cannot tap mitchellh/gon: invalid syntax in tap!
    
    opened by ndw 12
  • Support a notarization-only workflow

    Support a notarization-only workflow

    To support a workflow where the item to be notarized (.pkg or .zip) does not require the existing gon process to perform the signing and packaging steps.

    • Add new optional notarize section to the config
    • Allow specifying notarize in lieu of sources
    opened by etter-tanium 5
  • warning Calling Bottle :unneeded is deprecated

    warning Calling Bottle :unneeded is deprecated

    hello,

    The Homebrew bottle need some update since ":unneeded" is deprecated.

    Error messages on update with brew :

    Warning: Calling bottle :unneeded is deprecated! There is no replacement. Please report this issue to the mitchellh/gon tap (not Homebrew/brew or Homebrew/core): /usr/local/Homebrew/Library/Taps/mitchellh/homebrew-gon/gon.rb:6

    Thanks

    opened by gpkfr 3
  • IgnorePathIssues config option to treat some issues as non-fatal

    IgnorePathIssues config option to treat some issues as non-fatal

    I'm getting notarization working for our Node.js .pkg files (ref https://github.com/nodejs/node/issues/29216) using gon but we have a small problem: there are binaries deep inside the pkg (inside a pkg for npm which is inside the pkg) that is neither signed or hardened. It's a minor dependency of npm that's not essential to installing Node and it'll only be encountered on command-line usage so ought to not be a problem for users.

    Apple passes the notarization but reports 3 "issues" for this particular file, because of #6, any issues are treated as fatal. But in this case, it doesn't appear to cause any problems for the package, it can be installed and used just fine even with this unsigned executable inside it.

    So, this PR is a suggestion of a way around that. It lets you keep the #6 behaviour and lets users of gon opt-in to treating certain issues as non-fatal by matching the "path" reported by Apple for each issue. Happy to adjust as needed to fit nicely with the rest of the tool nicely, or perhaps you have a suggestion for an alternative route?

    Here's a copy of a log with these issues so you can see what we're dealing with: https://gist.github.com/rvagg/d9befda67accfe1355f7cf6da399980b, it results in this stderr:

        3 issues during notarization:
        Issue #1 (warning) for path "node-v14.0.0-nightly202001223e5fd51bb9.pkg/npm-v6.13.6.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-pick 9e4977fe22 src: better encapsulate native immediate list
    size/vendor/macos/term-size": The binary is not signed.
        Issue #2 (warning) for path "node-v14.0.0-nightly202001223e5fd51bb9.pkg/npm-v6.13.6.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The signature does not include a secure timestamp.
        Issue #3 (warning) for path "node-v14.0.0-nightly202001223e5fd51bb9.pkg/npm-v6.13.6.pkg Contents/Payload/usr/local/lib/node_modules/npm/node_modules/term-size/vendor/macos/term-size": The executable does not have the hardened runtime enabled.
    
    opened by rvagg 3
  • Signing with an invalid developer ID cert returns success

    Signing with an invalid developer ID cert returns success

    Issue: When I provide an invalid developer ID cert (oops), gon successfully completes and doesn't return an error. The log file shows a warning with the following under issues:

    "issues": [
        {
          "severity": "warning",
          "code": null,
          "path": "terraform",
          "message": "The binary is not signed with a valid Developer ID certificate.",
          "docUrl": null,
          "architecture": "x86_64"
        }
      ]
    

    IMO this is a fatal error, as the resulting executables can't be opened on OSX 10.15.

    Solution: Exit gon and return an error if this 'warning' appears in the log file.

    opened by mdeggies 3
  • gon reports notarizing failure even though Apple successfully notarized

    gon reports notarizing failure even though Apple successfully notarized

    Our workflow can be found here. It worked fine in the past.

    2021-05-27T23:33:44.9183580Z     [bebopc.zip] File notarized!
    2021-05-27T23:33:44.9276730Z 
    2021-05-27T23:33:44.9332980Z ❗️ Error notarizing:
    2021-05-27T23:33:44.9358450Z 
    2021-05-27T23:33:44.9367080Z 1 error occurred:
    2021-05-27T23:33:44.9368930Z 	* package is invalid. To learn more download the logs at the URL: 
    2021-05-27T23:33:44.9372010Z 
    2021-05-27T23:33:44.9400060Z 
    2021-05-27T23:33:44.9417640Z ##[error]Process completed with exit code 1.
    2021-05-27T23:33:44.9839920Z Cleaning up orphan processes
    2021-05-27T23:33:45.2954010Z Terminate orphan process: pid (1240) (dotnet)
    
    opened by AndrewMD5 2
  • No such environment variable for key: 'AC_PASSWORD' (-1005)

    No such environment variable for key: 'AC_PASSWORD' (-1005)

    I'm following the excellent configuration advice in the README to create my first notarized package. Thank goodness for gon! Apple does not make this process easy to figure out for first-time developers.

    I'm stuck with the following errors shown below though with regards to notarizing.

    I see that Issue #10 appears to address this, but I can't quite figure out how to get gon to fall back to asking for the AC_PASSWORD.

    Honestly, I'm not sure what the AC_PASSORD is. I found this article about setting an AC_PASSWORD in the keychain, but I'm a little nervous to do this; I'm not sure what I'm setting or how to undo it.

    What am I missing?

      $ gon hello_world.hcl
    ==> ✏️  Signing files...
        Code signing successful
    ==> 📦  Creating Zip archive...
        Zip archive created with signed files
    ==> 📦  Creating dmg...
        Dmg created and signed
    ==> 🍎  Notarizing...
        Files will be notarized concurrently to optimize queue wait
        Path: hello_world.zip
        Path: hello_world.dmg
        [hello_world.dmg] Submitting file for notarization...
        [hello_world.dmg] Error notarizing
        [hello_world.zip] Submitting file for notarization...
        [hello_world.zip] Error notarizing
    
    ❗️ Error notarizing:
    
    2 errors occurred:
    	* 1 error occurred:
    	* No such environment variable for key: 'AC_PASSWORD' (-1005)
    
    
    	* 1 error occurred:
    	* No such environment variable for key: 'AC_PASSWORD' (-1005)
    

    For completeness here's my .hcl configuration.

    source = ["./dist/hello_world"]
    bundle_id = "com.txoof.helloworld"
    
    apple_id {
      username = "[email protected]"
      password = "@env:AC_PASSWORD"
    }
    
    sign {
      application_identity = "Developer ID Application: Aaron Ciuffo"
    }
    
    dmg {
      output_path = "hello_world.dmg"
      volume_name = "Hello"
    }
    
    zip {
      output_path = "hello_world.zip"
    }
    
    opened by txoof 2
  • Failed to sign the app through Ansible (SSH)

    Failed to sign the app through Ansible (SSH)

    Hi,

    I am trying to use gon to sign my app and generate dmg file through Ansible (SSH) but it keeps failing. It works perfectly fine if I run it on Terminal on my local machine, however I got this error message on my Ansible's controller. Sorry if I'm being nonsense or missing any information.

    The error message is the following:

    {
        "changed": true,
        "cmd":
        [
            "./gon",
            "sign.json"
        ],
        "delta": "0:00:00.051501",
        "end": "2022-05-17 17:50:43.235146",
        "msg": "non-zero return code",
        "rc": 1,
        "start": "2022-05-17 17:50:43.183645",
        "stderr": "",
        "stderr_lines":
        [],
        "stdout": "==> ✏️  Signing files...\n❗️ Error signing files:\n\nerror signing:\n\n../xxx.app/Contents/PlugIns/libsqlite3.so: replacing existing signature\n../xxx.app/Contents/PlugIns/libsqlite3.so: errSecInternalComponent",
        "stdout_lines":
        [
            "==> ✏️  Signing files...",
            "❗️ Error signing files:",
            "",
            "error signing:",
            "",
            "../xxx.app/Contents/PlugIns/libsqlite3.so: replacing existing signature",
            "../xxx.app/Contents/PlugIns/libsqlite3.so: errSecInternalComponent"
        ]
    }
    
    opened by adrianyip1222-unity 1
  • Your Apple ID account is attached to other providers. You will need to specify which provider you intend to submit content to. Please contact us if you have questions or need help.

    Your Apple ID account is attached to other providers. You will need to specify which provider you intend to submit content to. Please contact us if you have questions or need help.

    I had been using my personal Apple ID to sign a Golang-based CLI tool for work. But a couple of days ago, I got added to the company's Apple account, generated the cert and new bundle ID.

    Today, I went to sign the binary with gon, and I got back the error message listed in the issue name. I have Xcode 11.5 installed and selected with xcode-select.

    Your Apple ID account is attached to other providers. You will need to specify which provider you intend to submit content to. Please contact us if you have questions or need help.

    Google has a large number of results, but this page suggests that it may require --itc_provider TEAM_ID to be passed one of the underlying tools inside Xcode.app.

    Is this exposed anywhere in gon?

    opened by skyzyx 1
  • Support reading Apple ID username/email from environment

    Support reading Apple ID username/email from environment

    Right now the properties within apple_id are being passed verbatim to altool, which has native support for reading Apple ID password from the environment (or keychain), but it would handy to also support providing the Apple ID username via an environment variable.

    I'd like to commit my application's gon config to the repo that uses it, but would prefer to avoid publishing my Apple ID username/email.

    If this seems reasonable, I can throw up a PR.

    opened by maxfierke 1
  • Add support for zipping multiple source files (or a root directory)

    Add support for zipping multiple source files (or a root directory)

    If multiple files are specified in source, currently the zip step does not work, as ditto does not support archiving multiple files at once. Instead, this refactors the zip step a bit to first copy all the source files into a temporary directory, and then archive the directory.

    I'm not really a Go developer, so let me know if I've strayed from any idioms!

    opened by maxfierke 1
  • Embed provisioning profile

    Embed provisioning profile

    Right now if a binary needs restricted entitlements then a host should have provisioning profile installed or the "app" should embed it. Otherwise error like the following will occur and macOS will kill the binary:

    taskgated-helper	Disallowing tart because no eligible provisioning profiles found
    mac_vnode_check_signature: tart: code signature validation failed fatally: When validating tart:
      Code has restricted entitlements, but the validation of its code signature failed.
    

    I found this piece of documentation:

    Some macOS products, like daemons and command-line tools, ship as a standalone executable. A standalone executable can’t claim a restricted entitlement because there’s no place to embed the provisioning profile that authorizes that claim. If your standalone executable needs to do this, wrap it in an app-like structure. For an example of this, see Signing a Daemon with a Restricted Entitlement.

    If your standalone executable needs to do this, wrap it in an app-like structure. part is very concerning for just distributing binaries.

    I haven't yet figured out how to embed provisioning profile with a binary so decided to create this issue/feature request to surface the use case and see if someone experienced it.

    opened by fkorotkov 0
  • bless: The 'openfolder' is not supported on Apple Silicon devices.

    bless: The 'openfolder' is not supported on Apple Silicon devices.

    [[email protected]]00:36:17|~/go/src/github.com/Notifiarr/notifiarr$ /Users/david/go/bin/gon gon.json
    ==> ✏️  Signing files...
        Code signing successful
    ==> 📦  Creating dmg...
        This will open Finder windows momentarily.
    ❗️ Error creating dmg:
    
    error creating dmg:
    
    Creating disk image...
    created: /Users/david/go/src/github.com/Notifiarr/notifiarr/rw.notifiarr.dmg
    Mounting disk image...
    Unmounting disk image...
    Mount directory: /Volumes/Notifiarr
    Device name:     /dev/disk8
    Copying custom files...
    ./notifiarr
    Running Applescript: /usr/bin/osascript "/var/folders/ks/dgpqf8ld1qg5871wcc2fqw340000gn/T/createdmg.tmp.XXXXXXXXXX.Dzo8JSw2" "Notifiarr"
    waited 1 seconds for .DS_STORE to be created.
    Done running the applescript...
    Fixing permissions...
    Done fixing permissions.
    Blessing started
    bless: The 'openfolder' is not supported on Apple Silicon devices.
    

    iMac M1 running macOS 12.4. Installed gon by running: go install github.com/mitchellh/gon/cmd/[email protected] Let me know if I can provide more info. This is the first time I've used this app.

    opened by davidnewhall 1
  • Unable to upload your app for notarization. (-1011)

    Unable to upload your app for notarization. (-1011)

    I hit this and couldn't find many mentions of this exact error code on the internet. Fortunately, I solved it so I'm just posting an issue to benefit others who may be searching for the same code.

    From what I could tell, this happens because multi-device authentication is enabled for my account, so logins via my primary email+password pair typically require a secondary device (iPhone etc) to validate the authentication.

    Obviously machine authentication cannot do this and it doesn't make sense for a CI pipeline anyway. The solution is actually mentioned in the docs but the error code is different (maybe outdated? Apple doesn't document this stuff...)

    What you want is an application specific password in place of AC_PASSWORD which is done via this button:

    image

    On the page https://appleid.apple.com/account/manage

    Hope that helps someone spend fewer hours figuring it out than I did!

    opened by Southclaws 0
  • error signing: code object is not signed at all

    error signing: code object is not signed at all

    I am not sure that it is a big, and I rather suppose that I am doing something wrong, but maybe you could help me with this.

    While signing a binary, I get the following error:

    code object is not signed at all
    

    I signed some other binaries, and it worked perfectly well, so I suppose the problem is with this binary only. It is an electron app.

    opened by chubin 0
  • Add support for codesign requirements:

    Add support for codesign requirements:

    https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG6

    This allows adding a requirements line to the configuration to specify the requirements. The line should look something like:

    designated => anchor trusted and identifier com.foo.bar

    opened by areese 0
Releases(v0.2.5)
Owner
Mitchell Hashimoto
Mitchell Hashimoto
A CLI tool for leveraging IDP signing keys to impersonate users and groups

Imperson8 Disclaimer This is a security testing tool. Only use this on systems you have explicit authorization to test. This isn't an exploit and won'

null 17 Jul 23, 2022
A CLI tool that generates OpenTelemetry Collector binaries based on a manifest.

OpenTelemetry Collector builder This program generates a custom OpenTelemetry Collector binary based on a given configuration. TL;DR $ go get github.c

OpenTelemetry - CNCF 52 Sep 14, 2022
simple TOTP CLI, powered by keychain of macOS

macos-totp-cli macos-totp-cli is a simple TOTP CLI, powered by keychain of macOS. $ totp Usage: totp [command] Available Commands: completion ge

Hyeon Kim (김지현) 26 Jul 4, 2022
ets2-dlc-repacker is a Windows / Linux / MacOS CLI util to automatically repack older DLC archives for compatibility with newer versions.

ets2-dlc-repacker is a Windows / Linux / MacOS CLI util to automatically repack older DLC archives for compatibility with newer versions.

Daniel 0 Dec 26, 2021
Command-line tool to customize the official Spotify client. Supports Windows, MacOS and Linux.

Command-line tool to customize the official Spotify client. Supports Windows, MacOS and Linux. Features Change colors whole UI Inject CSS for advanced

null 12.3k Sep 20, 2022
Download and install binaries from GitHub Releases, interactively.

bget Download and install binary files from GitHub Releases. Preview Install For Mac/Linux users, you can use Homebrew to install it: brew install ego

EGOIST 216 Aug 24, 2022
macOS Quick Look plugin for Matroska `.mka` files

qlmka: A macOS Quick Look plugin to display Matroska .mka covers This plugin adds support for showing thumbnails of Matroska .mka files in macOS Finde

Remko Tronçon 18 Sep 17, 2022
Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Katz 1 Jan 12, 2022
Lightweight CLI tool to programmatically rescale your Hetzner virtual server daily to optimize your budget spending

Lightweight CLI tool to programmatically rescale your Hetzner virtual server daily to optimize your budget spending

Jonathan Mataloni 44 Jun 30, 2022
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

null 0 Nov 22, 2021
Soren L. Hansen 1.6k Sep 16, 2022
kcon is a simple CLI tool to switch the context of your Kubeconfig file.

kcon kcon is a simple CLI tool to switch the context of your Kubeconfig file. Scope The code published here is educational only. Usage Usage of kcon:

Alexander Teves 0 Oct 14, 2021
A simple CLI tool to help you manage your CPU

gocpu A simple cli tool to handle and watch your CPU. Usage Usage gocpu [subcommand] [flags] subcommand: watch - see the realtime cpu frequenc

Sarthak Pranesh 0 Nov 29, 2021
A dead simple CLI tool that prints the next semantic version based on the last tag of your git repository

nextver A dead simple CLI tool that prints the next semantic version based on the last tag of your git repository. Install go install github.com/junk1

Tom 2 Sep 16, 2022
Are you programming and suddenly your stomach is rumbling? No problem, order your Ifood without leaving your favorite text editor ❤️

vim-ifood Você ta programando e de repente bateu aquela fome? Sem problemas, peça seu Ifood sem sair do seu editor de texto favorito ❤️ Are you progra

Felipe Volpone 4 Jun 2, 2022
A CLI to replace your git commit command, so your git message can partially follow the Conventional Changelog ecosystem

COMMIT CLI A CLI to replace your git commit command, so your git message can partially follow the Conventional Changelog ecosystem. And yes, it is bui

Hisam Fahri 1 Feb 9, 2022
A CLI tool that masks and obscurates your environment variables for demos

envo - Mask your environment variables envo (environment variable obscuration) is a CLI tool that masks/obscurates your environment variables. Use cas

Tu Nguyen 19 Aug 29, 2022
A tool to manage all your boilerplate from cli and generate files for you !

A tool to manage all your boilerplate from cli and generate files for you !

null 28 Jul 20, 2022
Experimental go cli tool to track your open issues and PRs.

git-sum cli tool See open issue and pull request counts for each repository of the user. Installation go install github.com/suadev/[email protected] Usa

Suat KÖSE 6 Jan 21, 2022