code signing for OS X

[edbordin]

On OS X, archives downloaded in the browser are marked with a "quarantine flag" which is transferred to all files when an archive is extracted https://discourse.brew.sh/t/code-signing-installed-executables/2131/12

The user will get a warning for every executable they try to run if this flag is set.

These are the solutions to avoid the warning that I'm aware of:

• Download with a CLI tool like wget
• Remove the flag from the archive before extracting with xattr -d com.apple.quarantine
• Manually allow each executable to run (annoying and probably impractical if changing builds frequently).
• Code-sign the executables, which should stop the warning appearing at all so long as the developer cert is valid.

I will leave this open for discussion. I'm inclined to say we don't need it but I am not the end user of this build so happy for others to chime in.

EDIT: This behaviour is not new in Catalina so I'm inclined to think users are used to it. But this can stay open for now in case somebody wants to make a case for signing the binaries.

edit 2: windows 10 actually behaves a similar way