I think Apple's official code signing tool is also open source? <a href="https://github.com/Apple-FOSS-Mirror/security_systemkeychain/blob/master/src/codesign.cpp" rel="nofollow">https://github.com/Apple-FOSS-Mirror/security_systemkeychain...</a><p>xar is another tool for codesigning Mac installer packages, which runs on Linux. I've used it successfully in the past.<p><a href="https://users.wfu.edu/cottrell/productsign/productsign_linux.html" rel="nofollow">https://users.wfu.edu/cottrell/productsign/productsign_linux...</a>
This is so fantastic. I wouldn't have believed it was possible had I not seen it here. I maintain multiple old OSX machines solely for this purpose; migrating to Linux for this step makes me feel so much safer for my CI build systems.
The only thing left to solve is to actually build cross platform. You can do with rust cross but you have to build your own docker images on macos first since apple licensing prohibits redistribution of binaries. It would save us so much money in github CI minutes.
I came here to whine about Apple Code signing, and how this seems like a terrible thing to reproduce, until I realized this breaks free of Apple, and is hopefully much more sane! Well done!
Kudos to these developers. I wish them success.<p>If I can do a small derail: I and some contributors had this mostly working a few iOS versions ago with isign (<a href="https://github.com/isignpy/isign" rel="nofollow">https://github.com/isignpy/isign</a>). This is befor notarization. Announced several times to HN but didn’t seem to be interesting to many people.<p>This was a spin-off from our work at a testing company. I’m not an iOS developer. (That may be why I could never see what to do with this.)<p>I tried to make it into something, but I could never figure out who actually wanted this. What potential uses are foreseen for rcodedesign?<p>- Weird custom signing. We did a project for a large financial company to make it compatible with hardware security module signing, but they never implemented it due to the pandemic changing priorities, and then someone discovered there was a little-known MacOS API to do something similar anyway, so our project was shelved. (We got paid though).<p>- “Alternative” app distribution. From time to time I am contacted by people who run alternative app stores, either distributing hacked versions of paid apps, or who run app store in countries under embargo from Western countries. (They have banks, their customers have iPhones, they want a way to distribute iOS apps). The ethical issues and legal risks seemed significant so I never pursued that. If someone wants to go do that, I guess that’s a use case.<p>- Build pipeline. Maybe, but you can’t fully build a iOS app on Linux so it didn’t seem like a win.<p>- Mass app production. I am aware of some app white-labeling concepts that used isign back in the day. There was a guy who had a generic app for local news outlets, and essentially uploaded it to the App Store dozens of times under different names, for new versions. isign was more scriptable (and I wrote a multi-resign option for this use case) but I didn’t see a way to turn this into a business.<p>- Testing on real devices. Even the original use case (re-signing apps to run on local device labs) has been mostly obviated. Hosting and scripting on MacOS has gotten better.<p>- ??? something else? I even reached out to saurik about this at a conference. Cydia worked on jailbroken devices, so it didn’t need signing. To my surprise saurik was angry with me. He said that many, many companies had figured this out internally so he was skeptical we would ever release it. (We did!)<p>So… again kudos, but what can we do with this? I’m not dissing it, I’m genuinely baffled. I also thought this would be important and useful but couldn’t figure it out.
I’ve always used gon ( <a href="https://github.com/mitchellh/gon" rel="nofollow">https://github.com/mitchellh/gon</a> ) for this, which is open source golang, but I don’t think it supports mach-o embedding. I’ll have to try this tool out.
> There are probably thousands of companies and individuals who have wanted to release Apple software from non-macOS operating systems. (The existence and popularity of tools like fastlane seems to confirm this.)<p>I'm not sure the existence/popularity of fastlane supports the non-macOS operating systems argument since its primary purpose is as a wrapper around Apple's clunky/undocumented build and upload tools on macOS.
I have a customer that runs a dynamic analysis service. They add a library to the IPA and create a new one. They need to to sign it. It's automated on a Mac but they won't need a Mac anymore if they could run code signing on a Linux VM like the rest of their infrastructure. No more sending files and messages back and forth between the two environments. A huge win.
this feels like a job for lemur and smallstep<p><a href="https://smallstep.com/docs/step-ca" rel="nofollow">https://smallstep.com/docs/step-ca</a><p><a href="https://github.com/Netflix/lemur" rel="nofollow">https://github.com/Netflix/lemur</a>
Does this mean I can now develop iOS (iphone/ipad) apps, start to finish, without asking Apple's<p>permission _at any stage_, and then sideload these apps onto my personal iphone/ipad?<p>(assuming as mentioned elsewhere that I can develop such apps on linux, without needing MacOS)