Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/anchore/quill

Simple mac binary signing from any platform

https://github.com/anchore/quill

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (9.2%) to scientific vocabulary

Keywords

apple binary codesign codesigning darwin hacktoberfest mac macho notarization notarize signing

Keywords from Contributors

vulnerabilities container-image cyclonedx oci openvex static-analysis vex sequences embedded archival
Last synced: 5 months ago · JSON representation

Repository

Simple mac binary signing from any platform

Basic Info
  • Host: GitHub
  • Owner: anchore
  • License: apache-2.0
  • Language: Go
  • Default Branch: main
  • Homepage:
  • Size: 1010 KB
Statistics
  • Stars: 453
  • Watchers: 14
  • Forks: 16
  • Open Issues: 18
  • Releases: 7
Topics
apple binary codesign codesigning darwin hacktoberfest mac macho notarization notarize signing
Created about 4 years ago · Last pushed 6 months ago
Metadata Files
Readme Contributing License

README.md

Quill

Simple mac binary signing and notarization from any platform (replacing the codesign utility for simple use cases).

quill-demo

bash $ quill sign-and-notarize --p12 [path-to-p12] [path-to-unsigned-binary]

Installation

bash curl -sSfL https://get.anchore.io/quill | sudo sh -s -- -b /usr/local/bin

... or, you can specify a release version and destination directory for the installation:

curl -sSfL https://get.anchore.io/quill | sudo sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>

Usage

First you need to download the signing private key and certificate from Apple (this is in the form of a ".p12" file).

```bash

run on any platform to sign the binary

$ export QUILLSIGNP12=[path-to-p12] # can also be base64 encoded contents instead of a file path $ export QUILLSIGNPASSWORD=[p12-password]

$ quill sign [path/to/binary] ```

Note: The signing certificate must be issued by Apple and the full certificate chain must be available at signing time. See the section below on "Attaching the full certificate chain" if you do not wish to rely on the Apple intermediate and root certificates embedded into the Quill binary.

After signing you can notarize the binary against Apple's notary service:

```bash $ export QUILLNOTARYKEY=[path-to-private-key-file-from-apple] # can also be base64 encoded contents instead of a file path $ export QUILLNOTARYKEYID=[apple-private-key-id] # e.g. XS319FABCD $ export QUILLNOTARY_ISSUER=[apple-notary-issuer-id] # e.g. a1234b5-1234-5f5d-b0c8-1234bedc5678

$ quill notarize [path/to/binary] ```

...or you can sign and notarize in one step:

bash $ quill sign-and-notarize [path/to/binary]

Here's an example of using quill with goreleaser: ```yaml

.goreleaser.yml

builds: - binary: my-app goos: - darwin goarch: - amd64 - arm64 hooks: post: # The binary is signed and notarized when running a production release, but for snapshot builds notarization is # skipped and only ad-hoc signing is performed (not cryptographic material is needed). # # note: environment variables required for signing and notarization (set in CI) but are not needed for snapshot builds # QUILLSIGNP12, QUILLSIGNPASSWORD, QUILLNOTARYKEY, QUILLNOTARYKEYID, QUILLNOTARYISSUER - cmd: quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv env: - QUILLLOG_FILE=/tmp/quill-{{ .Target }}.log ```

Attaching the full certificate chain

In order to pass notarization with Apple you must use:

  1. A signing certificate that is issued by Apple
  2. Have the full certificate chain available at signing time

Without the full chain, Apple will reject the notarization request with the following error: json { "issues": [ { "severity": "error", "code": null, "message": "The signature of the binary is invalid.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735" }, { "severity": "error", "code": null, "message": "The signature does not include a secure timestamp.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733" } ] }

Quill can attach the full certificate chain at signing time with the Apple root and intermediate certificates embedded into the Quill binary (obtained from Apple directly). However, an alternative to this approach is to attach the full certificate chain to your P12 file:

```bash

run on a mac if you want to use certs from your keychain.

otherwise this will embed any matching Apple certs that are found within Quill into the P12 file.

$ export QUILLP12PASSWORD=[p12-password]

$ quill p12 attach-chain [path-to-p12-from-apple]

a new P12 file was created with the suffix -with-chain.p12

```

At this point you can use quill p12 describe to confirm the full certificate chain is attached.

Commands

  • sign [binary-file]: sign a mac executable binary
  • notarize [binary-file]: notarize a signed a mac binary with Apple's Notary service
  • sign-and-notarize [binary-file] sign and notarize a mac binary
  • submission list: list previous submissions to Apple's Notary service
  • submission logs [id]: fetch logs for an existing submission from Apple's Notary service
  • submission status [id]: check against Apple's Notary service to see the status of a notarization submission request
  • describe [binary-file]: show the details of a mac binary
  • extract certificates [binary-file]: extract certificates from a signed mac binary
  • p12 attach-chain [p12-file]: attach the full Apple certificate chain into a p12 file (MUST run on a mac with keychain access)
  • p12 describe [p12-file]: describe the contents of a p12 file

Configuration

Search locations: .quill.yaml, quill.yaml, .quill/config.yaml, ~/.quill.yaml, ~/quill.yaml, $XDG_CONFIG_HOME/quill/config.yaml

```yaml log: # suppress logging output (env var: "QUILLLOGQUIET") quiet: false

# error, warn, info, debug, trace (env var: "QUILLLOGLEVEL") level: "info"

# file to write all loge entries to (env var: "QUILLLOGFILE") file: "" ```

Why make this?

The mac codesign utility is great, but it's not available on all platforms. For cross-platform toolchains like golang this can get painful in subtle ways. Goreleaser is a great "one-shot" release solution, but requiring running on a mac just for the signing step now forces the reset of your build steps to work on a mac as well -- and since this is part of the release process, it needs to work in CI. This is a problem since, due to licensing reasons, the default mac runner for github actions cannot have docker installed by default. This means that you need to resort to installing docker on a mac in CI first before getting started, which can take upwards of 20 minutes.

Unlike docker, which inherently needs to run on a linux host (docker on a mac is a VM), there is nothing inherently mac-specific about signing a binary. This tool enables already cross-platform toolchains to run the signing step on any platform.

Owner

  • Name: Anchore, Inc.
  • Login: anchore
  • Kind: organization
  • Email: info@anchore.com

GitHub Events

Total
  • Create event: 77
  • Issues event: 12
  • Release event: 2
  • Watch event: 124
  • Delete event: 73
  • Issue comment event: 68
  • Push event: 80
  • Pull request review comment event: 1
  • Pull request review event: 96
  • Pull request event: 156
  • Fork event: 2
Last Year
  • Create event: 77
  • Issues event: 12
  • Release event: 2
  • Watch event: 124
  • Delete event: 73
  • Issue comment event: 68
  • Push event: 80
  • Pull request review comment event: 1
  • Pull request review event: 96
  • Pull request event: 156
  • Fork event: 2

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 375
  • Total Committers: 10
  • Avg Commits per committer: 37.5
  • Development Distribution Score (DDS): 0.264
Past Year
  • Commits: 80
  • Committers: 7
  • Avg Commits per committer: 11.429
  • Development Distribution Score (DDS): 0.125
Top Committers
Name Email Commits
dependabot[bot] 4****] 276
Alex Goodman a****n@a****m 82
Keith Zantow k****w@g****m 4
Christopher Angelo Phillips 3****s 4
William Murphy w****y@a****m 3
Weston Steimel w****l@g****m 2
Timotej Ecimovic t1@d****m 1
Christophe Fergeau t****f@g****g 1
Carlos Alexandro Becker c****0 1
Alan Pope a****e@a****m 1
Committer Domains (Top 20 + Academic)
anchore.com: 3 gnome.org: 1 digitalgeyser.com: 1

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 26
  • Total pull requests: 305
  • Average time to close issues: about 2 months
  • Average time to close pull requests: 10 days
  • Total issue authors: 16
  • Total pull request authors: 8
  • Average comments per issue: 2.5
  • Average comments per pull request: 0.61
  • Merged pull requests: 154
  • Bot issues: 0
  • Bot pull requests: 267
Past Year
  • Issues: 7
  • Pull requests: 138
  • Average time to close issues: 16 days
  • Average time to close pull requests: 13 days
  • Issue authors: 6
  • Pull request authors: 8
  • Average comments per issue: 2.0
  • Average comments per pull request: 0.55
  • Merged pull requests: 77
  • Bot issues: 0
  • Bot pull requests: 122
View more stats
Top Authors
Issue Authors
  • wagoodman (10)
  • dependabot[bot] (2)
  • caarlos0 (2)
  • cfergeau (1)
  • jaredallard (1)
  • gedw99 (1)
  • 0-wiz-0 (1)
  • jidckii (1)
  • BirknerAlex (1)
  • sheldonhull (1)
  • spiffcs (1)
  • NorseGaud (1)
  • boredcoder411 (1)
  • matthewmueller (1)
  • paralin (1)
Pull Request Authors
  • dependabot[bot] (512)
  • wagoodman (27)
  • kzantow (4)
  • westonsteimel (4)
  • spiffcs (4)
  • tecimovic (2)
  • popey (2)
  • willmurphyscode (1)
  • caarlos0 (1)
  • cfergeau (1)
Top Labels
Issue Labels
enhancement (12) bug (10) dependencies (2) question (2) changelog-ignore (1) help wanted (1) go (1) good first issue (1) needs-discussion (1) needs-investigation (1) github_actions (1) build (1)
Pull Request Labels
dependencies (512) go (409) github_actions (103) changelog-ignore (10) enhancement (4) bug (4) WIP (1)

Packages

  • Total packages: 1
  • Total downloads: unknown
  • Total dependent packages: 2
  • Total dependent repositories: 0
  • Total versions: 8
proxy.golang.org: github.com/anchore/quill
  • Versions: 8
  • Dependent Packages: 2
  • Dependent Repositories: 0
Rankings
Stargazers count: 2.8%
Average: 6.5%
Dependent packages count: 7.0%
Forks count: 7.0%
Dependent repos count: 9.3%
Last synced: 6 months ago

Dependencies

go.mod go
  • github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
  • github.com/adrg/xdg v0.2.1
  • github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
  • github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb
  • github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef
  • github.com/atotto/clipboard v0.1.4
  • github.com/aws/aws-sdk-go v1.44.114
  • github.com/blacktop/go-macho v1.1.83
  • github.com/charmbracelet/bubbles v0.11.0
  • github.com/charmbracelet/bubbletea v0.22.1
  • github.com/charmbracelet/harmonica v0.2.0
  • github.com/charmbracelet/lipgloss v0.6.0
  • github.com/containerd/console v1.0.3
  • github.com/davecgh/go-spew v1.1.1
  • github.com/erikgeiser/promptkit v0.7.0
  • github.com/fsnotify/fsnotify v1.4.9
  • github.com/gabriel-vasile/mimetype v1.4.1
  • github.com/github/smimesign v0.2.0
  • github.com/gkampitakis/ciinfo v0.1.1
  • github.com/gkampitakis/go-diff v1.3.0
  • github.com/gkampitakis/go-snaps v0.4.0
  • github.com/go-openapi/errors v0.20.2
  • github.com/go-openapi/strfmt v0.21.3
  • github.com/go-restruct/restruct v1.2.0-alpha
  • github.com/golang-jwt/jwt/v4 v4.4.2
  • github.com/gookit/color v1.5.2
  • github.com/hashicorp/errwrap v1.0.0
  • github.com/hashicorp/go-multierror v1.1.0
  • github.com/hashicorp/hcl v1.0.0
  • github.com/iancoleman/strcase v0.2.0
  • github.com/inconshreveable/mousetrap v1.0.1
  • github.com/jedib0t/go-pretty v4.3.0+incompatible
  • github.com/jmespath/go-jmespath v0.4.0
  • github.com/klauspost/compress v1.15.11
  • github.com/kr/pretty v0.3.0
  • github.com/kr/text v0.2.0
  • github.com/lucasb-eyer/go-colorful v1.2.0
  • github.com/magiconair/properties v1.8.1
  • github.com/mattn/go-colorable v0.1.12
  • github.com/mattn/go-isatty v0.0.16
  • github.com/mattn/go-localereader v0.0.1
  • github.com/mattn/go-runewidth v0.0.14
  • github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
  • github.com/mitchellh/go-homedir v1.1.0
  • github.com/mitchellh/mapstructure v1.3.3
  • github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70
  • github.com/muesli/cancelreader v0.2.2
  • github.com/muesli/reflow v0.3.0
  • github.com/muesli/termenv v0.12.0
  • github.com/oklog/ulid v1.3.1
  • github.com/pelletier/go-toml v1.8.1
  • github.com/pkg/errors v0.9.1
  • github.com/pkg/profile v1.6.0
  • github.com/pmezard/go-difflib v1.0.0
  • github.com/rivo/uniseg v0.2.0
  • github.com/rogpeppe/go-internal v1.9.0
  • github.com/scylladb/go-set v1.0.2
  • github.com/sirupsen/logrus v1.8.1
  • github.com/smartystreets/assertions v1.0.0
  • github.com/spf13/afero v1.2.2
  • github.com/spf13/cast v1.3.1
  • github.com/spf13/cobra v1.6.0
  • github.com/spf13/jwalterweatherman v1.1.0
  • github.com/spf13/pflag v1.0.5
  • github.com/spf13/viper v1.7.0
  • github.com/stretchr/objx v0.4.0
  • github.com/stretchr/testify v1.8.0
  • github.com/subosito/gotenv v1.2.0
  • github.com/wagoodman/go-partybus v0.0.0-20210627031916-db1f5573bbc5
  • github.com/wagoodman/go-progress v0.0.0-20220614130704-4b1c25a33c7c
  • github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778
  • go.mongodb.org/mongo-driver v1.10.0
  • golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
  • golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e
  • golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab
  • golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
  • golang.org/x/text v0.3.7
  • gopkg.in/ini.v1 v1.56.0
  • gopkg.in/yaml.v2 v2.4.0
  • gopkg.in/yaml.v3 v3.0.1
  • software.sslmate.com/src/go-pkcs12 v0.2.0
go.sum go
  • 420 dependencies
.github/workflows/release.yaml actions
  • actions/cache v3 composite
  • actions/checkout v3 composite
  • actions/setup-go v3 composite
  • actions/upload-artifact v3 composite
  • anchore/sbom-action v0 composite
  • fountainhead/action-wait-for-check v1.1.0 composite
.github/workflows/validations.yaml actions
  • actions/cache v3 composite
  • actions/checkout v3 composite
  • actions/download-artifact v2 composite
  • actions/setup-go v3 composite
  • actions/upload-artifact v3 composite
  • docker/setup-qemu-action v2 composite
.github/actions/bootstrap/action.yaml actions
  • actions/cache v3 composite
  • actions/setup-go v3 composite
.github/workflows/oss-project-board-add.yaml actions