Mac & Little Snitch Firewall: code sign warning

Hi,

I use Restic on a Mac against the a Backblaze B2 repo. As a local firewall I use Little Snitch in alert mode. Restic is installed with Homebrew.

On first connection Little Snitch complains about the lack of a code signature of Restic and it regularly warns: “status: unsigned”.

Supposedly it is possible to do an ad-hoc code sign.

Questions:

  • Did anyone experience this issue and resolve it? If yes: how? (if no: just ignore :wink:
  • Should & can this be resolved structurally by signing in the development pipeline?

Thanks in advance for any help

To sign an application with Apple you need to be enrolled as an active Apple Developer and pay the yearly fee to get your applications code signed. A sthe builds for the releases not signed you will get that warning.

Simple answer is: you can’t as of now. You have to work around that with a different configuration in LS.

Technically, yes. But:
I can’t speak for fd0 who makes the builds but I don’t think that this is gonna happen.
See other OSS projects like rclone or caddy. None of the builds are signed.
See

I suppose your main question was “Can we have release binaries signed” - I don’t see this happening quite frankly.

I bet the maintainer/s have some more or different words on this topic.

1 Like

If it was free, I’d totally sign Caddy builds.

(We sign using our own PGP key, though, so you can still verify its integrity. See the download page to download the signatures.)

Good point!

In my original post I added a statement exactly like that where I was saying “Most of the times releases come with a SHA hash and this you can use to verify if a binary has been altered” but then it made me think of "what if the binary is not altered when downloaded but afterwards when it’s already bin installed. So I removed it as I didn’t want to branch off of the initial question.

Nobody (big *) is gonna go through their binaries and checks if the SHA still matches, right?
This is where LS comes into action as it can alert you if a binary has been altered or replaced.
Maybe Apple will come around and lower the bar for folks who want to develop for macOS and ideally get rid of or substantially lower the cost for the annual membership.

Indeed, similar to what @mholt does with Caddy, we’re signing our binaries and the source code with my personal GPG key on release. We (as a project) don’t have the resources to add signing for the different platforms (OS X, Windows, …) at the moment.

That helps. Thanks everyone. I will ask the Little Snitch people for a more unsigned-code-tolerant solution.