MacOS Notarization

[Stebalien]

MacOS now requires binaries to be "notarized" (signed by apple). To do this, we'll need to:

1. Sign our apps (we're going to need build infrastructure to do this).
2. Submit them to Apple.

[lidel]

I believe this was blocked by:

1. the task of creating Org account and adding people to it
2. figuring out safe way of setting secrets at CI (travis is a problem, but perhaps we could use circleci or a github action).

@olizilla @autonome @andyschwab I was bit out of loop (and I have no Mac), whats the current status?

[olizilla]

no one is working on adding apple notarization for go-ipfs yet, but I can take it on. @andyschwab is working on wrangling the PL Apple account.

[andyschwab]

Update: Account is transferred, we have a few new admins, and Apple annual agreement renewals are now on the calendar. If anyone needs access to the PL Apple Developer account, just let me know.

[jacobheun]

@olizilla it sounds like the apple developer account is setup, is there anything else blocking us from updating binaries ipfs-update? ipfs/ipfs-update#130

[lidel]

• go-ipfs gets notarized in https://github.com/ipfs/ipfs-desktop
  • migration binaries are not notarized and seem to start causing trouble: Apple Notarization of migration assets kubo#8240 highlights the need for notarizing everything in fs-repo-*

We can't use scripts from ipfs-desktop because those are heavily oriented towards electron apps.
If we want to set up automation in this repo, potential tool would be gon – if it is good enough for notarizing Terraform, it should be good enough for us.

[lidel]

According to https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-universal-apps-release-notes Apple silicon makes signatures mandatory (even if it is self-signed for dev):

New in macOS 11 on Macs with Apple silicon, and starting in macOS Big Sur 11 beta 6, the operating system enforces that any executable must be signed before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature is sufficient. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs, and is designed to simplify the execution policies on Macs with Apple silicon and enable the system to better detect code modifications. This new policy doesn’t apply to translated x86 binaries running under Rosetta 2, nor does it apply to macOS 11 running on Intel-based platforms.

Workaround for now is to use amd64 binaries.

[lidel]

Closed by #367, all future releases built using our CI will be signed and notarized:

• https://github.com/ipfs/distributions#adding-a-version