feat: phase 4 — codesigning, notarization, signed installers, SBOM #5

New issue

Open

opened 2026-05-15 04:53:52 +00:00 by hartle-tech · 0 comments

hartle-tech commented

2026-05-15 04:53:52 +00:00

(Migrated from github.com)

S01E14 — Trust The Sock

Make DumpSock distributable to non-developer users.

Scope

macOS: Developer ID Application cert from Apple Developer Program. Sign the `.app` with `codesign`, then notarize via `notarytool`, then staple. Result: drag-droppable from a downloaded `.dmg` without Gatekeeper warnings.
Windows: code-signing cert (EV preferred for SmartScreen reputation; standard works but warns until reputation builds). Sign `.exe` with `signtool` in the CI pipeline.
Linux: `.AppImage` packaging via `linuxdeploy` + signed via `gpg --detach-sign`. Also publish `.deb` and `.rpm` if time permits.
SBOM: `syft` produces SPDX/CycloneDX SBOMs for each binary; ship alongside the release artifacts.
SLSA provenance: GitHub Actions OIDC + cosign for provenance attestations. Future-proofing for supply-chain audits.

Apple Developer Program: $99/yr (SACRED #2 — needs operator yes).
Windows code-signing cert: $200–$500/yr depending on vendor (operator yes).
Both costs are CI / release infra; not optional for a public release.

Acceptance

Tag `v0.1.0` triggers the matrix release pipeline.
macOS artifact is signed + notarized; `spctl --assess` reports OK.
Windows artifact is signed; `Get-AuthenticodeSignature` returns Valid.
Linux artifact is gpg-signed alongside its checksum.
SBOMs attached to the release.

## S01E14 — *Trust The Sock* Make DumpSock distributable to non-developer users. ## Scope - **macOS**: Developer ID Application cert from Apple Developer Program. Sign the \`.app\` with \`codesign\`, then notarize via \`notarytool\`, then staple. Result: drag-droppable from a downloaded \`.dmg\` without Gatekeeper warnings. - **Windows**: code-signing cert (EV preferred for SmartScreen reputation; standard works but warns until reputation builds). Sign \`.exe\` with \`signtool\` in the CI pipeline. - **Linux**: \`.AppImage\` packaging via \`linuxdeploy\` + signed via \`gpg --detach-sign\`. Also publish \`.deb\` and \`.rpm\` if time permits. - **SBOM**: \`syft\` produces SPDX/CycloneDX SBOMs for each binary; ship alongside the release artifacts. - **SLSA provenance**: GitHub Actions OIDC + cosign for provenance attestations. Future-proofing for supply-chain audits. ## Cost / consent - Apple Developer Program: \$99/yr (SACRED #2 — needs operator yes). - Windows code-signing cert: \$200–\$500/yr depending on vendor (operator yes). - Both costs are CI / release infra; not optional for a public release. ## Acceptance - Tag \`v0.1.0\` triggers the matrix release pipeline. - macOS artifact is signed + notarized; \`spctl --assess\` reports OK. - Windows artifact is signed; \`Get-AuthenticodeSignature\` returns Valid. - Linux artifact is gpg-signed alongside its checksum. - SBOMs attached to the release.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

hartle-tech/dumpsock#5

No description provided.

Rows
Columns