Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-519

All executables need code signing on Darwin

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: puppet-agent 1.5.2
    • Fix Version/s: None
    • Component/s: Build Automation
    • Labels:
      None
    • Environment:

      Darwin, all versions of macOS

    • Template:
    • Team:
      Security

      Description

      Along with PA-430, code signing for puppet, augparse, facter, and the vendored ruby (/opt/puppetlabs/puppet/bin/ruby) should be integrated into CI. Security products like Google's Santa, https://github.com/google/santa, would require whitelisting specific binary versions and would be blocked/flagged on every update. These can be signed with a Developer ID certificate for 3rd Party Mac Developers.

        Attachments

          Activity

            People

            • Assignee:
              eric.sorenson Eric Sorenson
              Reporter:
              Allister Allister Banks
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support