Feature request: sign & notarize macOS binaries

[kenjenkins]

Is your feature request related to a problem? Please describe.

Attempting to download and run a macOS binary (e.g. from https://github.com/pomerium/cli/releases/download/v0.22.0/pomerium-cli-darwin-arm64.tar.gz) may result in an error like this:

Describe the solution you'd like

Let's make sure we understand and fulfill the code signing & notarization requirements for distributing macOS binaries.

Describe alternatives you've considered

For reasons I don't completely understand, I haven't seen this error when running a pomerium-cli binary distributed through Homebrew. We might want to better understand how this works.

Explain any additional use-cases

n/a

Additional context

We may be able to use https://github.com/mitchellh/gon to help automate the notarization process.

Other references:

• Signing your apps for Gatekeeper
• Notarizing macOS software before distribution

[kenjenkins]

I'm having a hard time finding the relevant documentation from Apple, but based on the README from https://github.com/mitchellh/gon it sounds like we would need to distribute macOS builds as either .pkg, .dmg, .app, or .zip in order to include a code signature (and apparently if we want to staple the notarization from Apple we can't use a .zip archive).

Of these I think a .pkg installer might be the most appropriate choice for a command-line utility, but it would require some additional decisions: at a minimum I think we need to choose an installation location (e.g. /usr/local/bin) and appropriate package identifier (e.g. com.pomerium.pkg.pomerium-cli). There may be additional configuration required.

[kenjenkins]

Some possibly helpful references about the .pkg format:

• https://vincent.bernat.ch/en/blog/2013-autoconf-osx-packaging
• http:https://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html
• https://stackoverflow.com/a/11487658