|
|
|
|
|
|
by mkgeorge7
415 days ago
|
|
|
Question for the devs in here...something I've been thinking about a lot recently. So I see that OP linked out to a public github repo...but when downloading the actual bundle, what's a quick way for me to determine that what I'm installing on my mac is actually the same as what's in the public repo? It's always seemed like a loophole to me ready for (potential) exploitation. >> Ship project.
>> Link out Github repo on the static site somewhere
>> Gain trust instantly as users presume the public repo is what's used behind the scenes Disclaimer: I'm a web dev and don't know a single thing about native MacOS software |
|
|
I sign my binaries on macOS with Apple codesign and notarize - and with Microsoft's Azure trusted signing for Windows. Both operating systems will actually show you a lot of warning dialogs before running anything unsigned. It's far from perfect - but I do wish we'd get more into the habit of signing binaries, even if open source.