Question for the devs in here...something I've been thinking about a lot recently. So I see that OP linked out to a public github repo...but when downloading the actual bundle, what's a quick way for me to determine that what I'm installing on my mac is actually the same as what's in the public repo? It's always seemed like a loophole to me ready for (potential) exploitation.
>> Ship project. >> Link out Github repo on the static site somewhere >> Gain trust instantly as users presume the public repo is what's used behind the scenes
Disclaimer: I'm a web dev and don't know a single thing about native MacOS software
Yeah, reproducible builds would be fantastic.
I sign my binaries on macOS with Apple codesign and notarize - and with Microsoft's Azure trusted signing for Windows. Both operating systems will actually show you a lot of warning dialogs before running anything unsigned. It's far from perfect - but I do wish we'd get more into the habit of signing binaries, even if open source.
you don't, that is what reproducible builds are trying to solve, but even then it would still need someone to compile and check.