On Sun, Nov 17, 2013 at 09:15:58AM +0000, Georg Koppen wrote:
Erinn Clark:
I am at this point in favor of signing OSX packages with their codesigning but
How is this supposed to work with Gitian?
I don't see the problem. You can still verify the output of your Gitian build against the signed version. After all, signing an app just adds an LC_CODE_SIGNATURE load command plus associated data to your Mach-O files and a Contents/_CodeSignature/CodeResources for the resources to your app bundle. To verify you can simply remove both using command line tools and compare the signed version against the local Gitian build process output.
Cheers, Ralf