Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-519

All executables need code signing on Darwin

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: puppet-agent 1.5.2
    • Fix Version/s: None
    • Component/s: Build Automation
    • Labels:
      None
    • Environment:

      Darwin, all versions of macOS

    • Template:
    • Team:
      Security

      Description

      Along with PA-430, code signing for puppet, augparse, facter, and the vendored ruby (/opt/puppetlabs/puppet/bin/ruby) should be integrated into CI. Security products like Google's Santa, https://github.com/google/santa, would require whitelisting specific binary versions and would be blocked/flagged on every update. These can be signed with a Developer ID certificate for 3rd Party Mac Developers.

        Attachments

          Activity

            People

            Assignee:
            eric.sorenson Eric Sorenson
            Reporter:
            Allister Allister Banks
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support