This is the first GitHub release for apple-codesign / rcodesign with pre-built executables!
The macOS binary is self-signed using the new remote signing feature. The signing was initiated on GitHub Actions (https://github.com/indygreg/PyOxidizer/runs/6152561538?check_suite_focus=true) and signing was performed from the maintainer's Windows machine using a YubiKey.
The permalink for documentation for this release is https://pyoxidizer.readthedocs.io/en/apple-codesign-0.14.0/apple_codesign.html
- Fixed a bug where symlinks weren't been written in notarization zip file
files properly. This prevented bundles containing symlinks from notarizing
correctly. - The filename used in notarization uploads is now normalized to avoid
rejection due to spaces and colons. - Support for remote signing. The feature is documented extensively in the
Sphinx documentation. Essentially, 2 independent machines communicate with
each other with end-to-end encrypted messages via a websocket bridged through
a central server. Signing requests are sent to a remote machine which is in
possession of the signing key. Signatures are made on the remote machine and
transmitted back to the originating machine. Remote signing enables signing
to be performed more securely by facilitating signing without having to give
the initiating machine access to the signing key. - Default log output format has changed. Lines are no longer prefixed with the
time, log level, or logging module by default. A-v/--verboseglobal flag
has been added to increase the verbosity of logging. This can restore the
printing of the prefixes. This crate uses
env_logger <https://crates.io/crates/env_logger>_, so it is possible
to customize default behavior via environment variables. - The possible values for the
--code-signature-flagsare now advertised in
help output. - Written Mach-O files should now always have their filesystem permissions
preserved. Before, we may not have preserved file permissions in all code
paths writing Mach-O files. - A new
keychain-print-certificatescommand can be used to print
certificates available in macOS keychains. - Initial support for using macOS keychain certificates for code signing.
Previously, we required that certificates be exported from keychain in
order to sign. We now support signing using SecurityFramework APIs so
keys don't have to leave the keychain. Due to a limitation in the Rust
bindings to SecurityFramework, decryption using keychain keys is not
supported. So the public key agreement method of remote code signing
will not yet work with keychain-based keys. The new--keychain-domain
and--keychain-fingerprintarguments can be used to specify how to
search for and use keychain hosted keys.