Should I sign open source code myself?
Solution 1:
Ad-Hoc Code Signing
For third party applications and binaries that you compile yourself, and that require code signing, use an ad hoc code signature.
- I am assuming the application will not run without a signature;
- I am assuming the application will not be distributed;
- I am assuming you do not care about the identity of the signature being valid.
An ad-hoc signature does not provide reliable security benefits. It can be used to determine if the application has been changed and it can be used to apply security restrictions, such as entitlements, to an application.
An ad-hoc signature will validate against codesign
but not spctl
. This may or may not matter depending on the binary being signed. For applications and executables, this is unlikely to matter because spctl
is not run on locally created binaries.
Why Code Sign?
Regarding the refined question:
How I should handle unsigned source code that I compile myself, since I don't expect contributers to always be able to, or remember to, sign their code, especially when it comes to tiny contributions to open source projects with many contributers.
For most self compiled applications, there is no need for code signing. This assumes you trust the application's code. On macOS, you can open untrusted applications from the Finder, see Apple's Open an app from an unidentified developer.
If you do not trust the code or the developers, do not compile or run the application.
Your Responsibility
The provider of the source code has no responsibility or obligation to provide pre-built code signed binaries. Being self compiled, all code signing is your choice and responsibility.
Apple require submissions to their App Stores to be code signed.
Apple request developers outside their App Stores sign their code, but it is not yet required.
In both cases, only the final binaries are signed. The original source code and resources are not signed.
Source Code is Not Signed
Source code itself can not be code signed in a meaningful way for macOS. Source files and code can be digitally signed, as any other file can be, but this makes no impact on how the resulting application or binary is treated by macOS.
How to Ad-Hoc Code Sign a Mac Application
To codesign an application on macOS with an ad-hoc signature, set the identity -s
flag to -
:
codesign --force -s - </path/to/application>
All the other rules, requirements, and permutations of the codesign
command remain the same.
The flag --force
is used here to overwrite any existing signature.
You might need to add the --deep
flag to the codesign
command to sign sub-resources such as frameworks and embedded services.
Solution 2:
Signing the program yourself isn't ruining the purpose of code signing. The general purpose of code signing is to make it possible to verify that the program is an unmodified copy that was originally created by a specific entity (person or company). When you sign a program yourself only to run on your computer, you make it possible for the system to check that it is indeed you that created the binary, and that it hasn't been modified by others.
The qualitative difference between signing the application binary yourself, and just allowing apps from unidentified developers in GateKeeper is that in the former case you allow a single, specific app to run - whereas the latter, you open for the possibility that you can open lots of different apps just by right-clicking on them and choosing Open. I.e. it is more restrictive and thus somewhat more "secure" by signing the specific program yourself.
The responsibility of signing is entirely yours. The open source developer cannot sign the source code - it is only possible to sign the compiled binaries. As you're producing the compiled binaries yourself, it falls upon you to sign them.
You can sign up for a developer account on Apple's web site that will allow you to create a certificate that can be used for signing. If you're a developer and regularly compiling binaries to run on Macs this is the preferred way of doing things. If this is a one-off thing that you probably won't ever do again, it is probably overkill to go through this process. YMMV.
Other answers for your question here recommends that you use ad-hoc signing for your binary. That will not work. You will need to generate a valid signature in order to have the binary run with GateKeeper on its most secure setting.