My opinions of code signing, notarising and the hardened runtime
I had a long rant/chat on Slack about what I've figured out about code signing and notarisation after many late nights. Someone pointed out I should make a blog post about my opinions for posterity, even if it's not 100% accurate (I'm sure it's not), it will be helpful for some tidbits, hopefully. ... The way the bundle is structured, it has a standard structure, Contents containing the actual executable in MacOS, resources in Resources and helper service applications in XPCServices. The two services are the simduino plugin, which is basically a wrapper around simavr and the build engine. The main app is codesigned in the standard way, code signing is a slight misnomer. Carl 12:28 PM “Code signing” is essentially the same process as signing a document or file using PGP or GNUPG, the cryptographic program has a certificate and private key pair, which are equivalent to a public/private key pair in RSA signing, it takes the document, makes a cryptographically secure hash